The answer is simple.  But of course there are different ways to do the same thing.

Using the find command

find -name '*' -type d -exec chmod 0755 {} \;

NOTE: the -name ‘*’ parameter is used to keep from modifying the present working directory or ‘.’ directory.

find . -type f -exec chmod 0644 {} \;

Using chmod with capital X

The capital X will cause directories and files that are executable (for user and group) to be set as executable. Other files will not be set as executable.

chmod -R ug+rX .

Other uses of the find command

Modifying specific file types:

find -name '*.pdf' -exec chmod 0755 {} \;

NOTE: you can insert any command in after the -exec but before the {} (chmod 0775) such as ‘chown’.

My common usage

I often setup new Wordpress installations. I like to get ownership and permission sorted out quickly.  I’ll use this as my example.

In your Wordpress root directory:

chown your-username.www-data * -R
find -name '*' -type d -exec chmod 2750 {} \;
find . -type f -exec chmod 2640 {} \;

NOTE: the 2750 and 2640 sets a bit so that all directories that are created by the www-data user in my case will have the same permissions and ownership as the the other files.  Otherwise the www-data user may create files that are owned by itself and the your-username may not be able to modify them easily.

Now change so that the wp-content/{uploads,plugins,themes} directories are writable to the www-data group. This is so that the web server can upload photos and auto-update plugins/themes.

cd wp-content
mkdir uploads
chown your-username.www-data uploads
find -name '*' -type d -exec chmod 2770 {} \;
find . -type f -exec chmod 2660 {} \;

DenyHosts is a Python based security tool for SSH servers.

DenyHosts is a python script that is run on any Linux or BSD based system to help block SSH based attacks. It works to prevent both “dictionary based” and “brute force” attacks. Also provided is a system to synchronize block lists between other users of DenyHosts.

Continue reading for the complete guide…

It works by scanning the SSHD log files (/var/log/auth.log or /var/log/secure) and discovering failed login attempts. Attacks are triggered by number of failed attempts or invalid username login attempts. After it discovers an attack it inserts the IP address into the /etc/hosts.deny file which will block that IP from connecting to your system in the future. Check out the features page for a full set of features.

I started using DenyHosts after I noticed a surprising number of failed login attempts in my sshd logs. After I installed DenyHosts it discovered over 50 IPs that were attempting to gain access to my system and started blocking them. I quickly discovered the synchronization features and have not looked back. Now I maintain a blocklist near 9000 IPs long.

Base System

I am going to describe how to setup a basic server firewall with this base system as the example:

• Ubuntu Server 8.04 LTS (hardy)
• basic apt sources. (hardy main, hardy-updates main, hardy-security main)

Installation

sudo apt-get install denyhosts

Configuration

Modify the configuration file /etc/denyhosts.conf to include these settings.

SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 			# When set to blank system will never purge block list.
BLOCK_SERVICE  = sshd		# When set to SSHD the ssh server will be blocked,
				# when set to ALL the IP will be blocked for all services.
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 5
DENY_THRESHOLD_RESTRICTED = 5
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES		# This will do a hostname lookup.  Set to NO for improved performance.
LOCK_FILE = /var/run/denyhosts.pid

       ############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = 			# Leave Blank or use your email address for reports on blocked IPs.
SMTP_HOST = localhost           # localhost if you are running your own email server or set to an external server
SMTP_PORT = 25
SMTP_FROM = DenyHosts
SMTP_SUBJECT = DenyHosts Report
SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d

   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h

   #########   THESE SETTINGS ARE SPECIFIC TO     ##########
   #########       DAEMON SYNCHRONIZATION         ##########
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_INTERVAL = 1h
SYNC_UPLOAD = yes
SYNC_DOWNLOAD = yes
SYNC_DOWNLOAD_THRESHOLD = 3

Sync Server setup is optional. If you only want to block attempts on your server comment out the ‘SYNC_SERVER’ line.

Start the Service

sudo /etc/init.d/denyhosts restart

Other Resources

• DenyHosts Homepage
• HowToForge Article on DenyHosts Configuration
• Fail2ban – Similar to DenyHosts except that it scans other logs such as Apache, Postfix, SSHD and creates its ban lists using iptables or netfilter’s deny.hosts file.

I started using LaTeX for its ease of writing mathematical equations and expression. Anyone who has tried fooling with Microsoft Word’s equation editor realizes that it is time consuming, looks terrible, and will agree that there must be an easier way. That way is LaTeX.

LaTeX is a typesetting tool that excels with many types of documents such as academic journals, books, and complex mathematical formulas. One thing that it is great with is keeping track of references and bibliographies.

One thing to understand is that LaTeX is not for everyone. It will be confusing and complex to most users. There are tools that make it easier, but at its base you will be writing in a type of markdown language that is part of the barrier to entry.

photo credit: basheertome

What is LaTeX?

LaTeX is a high-quality typesetting system; it includes features designed for the production of technical and scientific documentation. LaTeX is the de facto standard for the communication and publication of scientific documents. LaTeX is available as free software. – http://www.latex-project.org/

LaTeX Features

• Typesetting journal articles, technical reports, books, and slide presentations.
• Control over large documents containing sectioning, cross-references, tables and figures.
• Typesetting of complex mathematical formulas.
• Advanced typesetting of mathematics with AMS-LaTeX.
• Automatic generation of bibliographies and indexes.
• Multi-lingual typesetting.
• Inclusion of artwork, and process or spot colour.
• Using PostScript or Metafont fonts.

– LaTeX Project

What I Use

I work with LaTeX on both Mac OSX and Linux systems. Most Linux distributions make it simple to install LaTeX either being included or simply from package managers. Mac OSX is a bit different.

To make my life easier I use the MacTeX LaTeX Distribution with Macromates TextMate OSX text editor. By installing the MacTeX distribution you will be given all the command line tools, fonts, and converters you will need. TextMate will give you syntax highlighting and access to other tools that will make you life easier. But all you really need is a text editor and the command line.

Good luck with your journey into the LaTeX world.

LaTeX Resources

Here is a list of resources so both you and I can remember them in the future! Enjoy!

• LaTeX Project
• MacTeX OSX LaTeX Distribution
• A Quick & Dirty Guide to LaTeX
• LaTeX Math Symbols
• LaTeX Reference
• Including Graphics in a LaTeX Document

IPKungFu is an iptables-based Linux firewall. It aims to simplify the configuration of Internet connection sharing, port forwarding, and packet filtering. — http://freshmeat.net/projects/ipkungfu/

IPKungFu better described as being a smart script that eases creation complex firewall rules. Creating a gateway firewall, internet sharing, or simply setting up a basic firewall are all simple tasks. By default it includes advanced logging, syn-flood protection, and port scanning protection.

photo credit: masochismtango

Continue for the complete guide…

I am going to describe how to setup a basic server firewall with this base system as the example:

• Ubuntu Server 8.04 LTS (hardy)
• basic apt sources. (hardy main, hardy-updates main, hardy-security main)

Install

user@server# sudo apt-get install ipkungfu

Configure

open ‘/etc/ipkungfu/ipkungfu.conf’ and change these settings:

GATEWAY=0
BLOCK_PINGS=1  #keep the ICMP port open for Nagios!!
SUSPECT="DROP"	#'DROP' is the same as Stealth on consumer routers
KNOWN_BAD="DROP"
PORT_SCAN="DROP"
GET_IP="AUTO"
DISALLOW_PRIVATE=1  #for servers to reject private IPs as spoofs
FAILSAFE=1

open ‘/etc/ipkungfu/services.conf’ and add ‘ACCEPT’ to the services you want:

# The defaults.  I set SSH, HTTP, and HTTPS services to 'ACCEPT'
ftp-data:20:tcp
ftp:21:tcp
ssh:22:tcp:ACCEPT
telnet:23:tcp
smtp:25:tcp
domain:53:tcp
bootps:63:tcp
http:80:tcp:ACCEPT
pop3:110:tcp
auth:113:tcp
ntp:123:tcp
imap:143:tcp
https:443:tcp:ACCEPT
imaps:993:tcp
pop3s:995:tcp
socks:1080:tcp

# Custom Services
# form: ServiceName:ServicePort:Protocol[:ACCEPT|DROP|REJECT|or any valid target)]
splunk:8000:tcp:ACCEPT

It will be important to enable SSH if you are working on a remote machine. Otherwise your firewall will block you from creating new connections.

You can add custom IPTABLES rules to the ‘/etc/ipkungfu/custom.conf’. For example:

### Custom MAC address to be Accepted for full access to machine.
$IPTABLES -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

Please note that MAC addresses are not a secure. They are trivially spoofed. This is used as an example.

Test Configuration

user@server# sudo ipkungfu --test

Should display something similar:

Checking integrity: ..	PASSED
Checking configuration...
 TTL support detected!
 MARK support detected!
Clearing old chains and tables...
Implementing custom rules...
Handling Services On The Following Ports...
-------------------------------
 Port  Protocol  Name   Target
-------------------------------
 22    tcp       ssh    ACCEPT
 80    tcp       http   ACCEPT
 443   tcp       https  ACCEPT
-------------------------------
Creating proc settings cache:	OK
Creating iptables rules cache:	OK

This should display all the ports you want to keep open. Did you open SSH?

Enable On Reboot

Edit ‘/etc/default/ipkungfu’:

IPKFSTART=1

Start the Service

user@server# sudo ipkungfu

Other Resources

• http://www.linuxkungfu.org/ — Authors Site
• http://freshmeat.net/projects/ipkungfu/ — Freshmeat Tracker
• https://help.ubuntu.com/community/firewall/ipkungfu — Ubuntu Community Documentation

My greatest recommendation for a secure Nagios installation would be a mixture of the techniques I am describing but also to not open the Nagios server outside your internal network. Additional Techniques

• Stronger Authentication using Digest Authentication. If you have followed the quickstart guides, chances are that you are using Apache’s Basic Authentication. Basic Authentication will send your username and password in “clear text” with every http request. Consider using a more secure method of authentication such as Digest Authentication which creates a MD5 Hash of your username and password to send with each request.
• Forcing TLS/SSL for all Web Communication. Apache provides TLS/SSL through the mod_ssl module. TLS/SSL provides a secure tunnel between the client and server that prevents eavesdropping and tampering using strong publickey/privatekey cryptography.
• Locking Down Apache Using Access Controls. Consider locking down access to the Nagios box to your IP address, IP address range, or IP subnet. If you require access outside your network you could use VPN or SSH Tunnels. This is a easy and strong to limit access to HTTP/HTTPS on your system.

Implementing Digest Authentication
The implementation of Digest Authentication is simple. You will have to create the new type of password file using the ‘htdigest’ tool, then modify the Apache configuration for nagios (typically /etc/httpd/conf.d/nagios.conf).
Create a new passwords file using the ‘htdigest’ tool. The difference that you will notice if you are familiar with ‘htpasswd’ tools is the requirement to supply a ‘realm’ argument. Where ‘realm’ in this case refers to the value of the ‘AuthName’ directive in the Apache configuration.

htdigest -c /usr/local/nagios/etc/.digest_pw "Nagios Access" nagiosadmin

Next, edit the Apache configuration file for Nagios (typically /etc/httpd/conf.d/nagios.conf) using the following example.

## BEGIN APACHE CONFIG SNIPPET - NAGIOS.CONF
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

     Options ExecCGI
     AllowOverride None
     Order allow,deny
     Allow from all
     AuthType Digest
     AuthName "Nagios Access"
     AuthUserFile /usr/local/nagios/etc/.digest_pw
     Require valid-user


Alias /nagios "/usr/local/nagios/share"

     Options None
     AllowOverride None
     Order allow,deny
     Allow from all
     AuthType Digest
     AuthName "Nagios Access"
     AuthUserFile /usr/local/nagios/etc/.digest_pw
     Require valid-user

## END APACHE CONFIG SNIPPETS

Then, restart the Apache service so the new settings can take effect.

/etc/init.d/httpd restart

Implementing Forced TLS/SSL
Make sure you’ve installed Apache and OpenSSL. By default you should have mod_ssl support if you are still having trouble you may find help reading Apache’s TLS/SSL Encryption Documentation.

Next, verify that TLS/SSL support is working by visiting your Nagios Web Interface using HTTPS (https://your.domain/nagios). If it is working you can continue on to the next steps that will force using HTTPS and block all HTTP requests for the Nagios Web Interface. If you are having trouble visit Apache’s TLS/SSL Encryption Documentation and Google for troubleshooting your specific Apache installation.

Next, edit the Apache configuration file for Nagios (typically /etc/httpd/conf.d/nagios.conf) by adding the ‘SSLRequireSSL’ directive to both the ’sbin’ and ’share’ directories.

## BEGIN APACHE CONFIG SNIPPET - NAGIOS.CONF
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

     ...
     SSLRequireSSL
     ...


Alias /nagios "/usr/local/nagios/share"

     ...
     SSLRequireSSL
     ...

## END APACHE CONFIG SNIPPETS

Restart the Apache service so the new settings can take effect.

/etc/init.d/httpd restart

Implementing IP subnet lockdown
The following example will show how to lock down Nagios CGIs to a specific IP address, IP address range, or IP subnet using Apache’s access controls.
Edit the Apache configuration file for Nagios (typically /etc/httpd/conf.d/nagios.conf) by using the ‘Allow’, ‘Deny’, and ‘Order’ directives using the following as an example.

## BEGIN APACHE CONFIG SNIPPET - NAGIOS.CONF
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

     ...
     AllowOverride None
     Order deny,allow
     Deny from all
     Allow from 127.0.0.1 10.0.0.25		# Allow single IP addresses
     Allow from 10.0.0.0/255.255.255.0		# Allow network/netmask pair
     Allow from 10.0.0.0/24			# Allow network/nnn CIDR spec
     ...


Alias /nagios "/usr/local/nagios/share"

     ...
     AllowOverride None
     Order deny,allow
     Deny from all
     Allow from 127.0.0.1 10.0.0.25		# Allow single IP addresses
     Allow from 10.0.0.0/255.255.255.0		# Allow network/netmask pair
     Allow from 10.0.0.0/24			# Allow network/nnn CIDR spec
     ...

## END APACHE CONFIG SNIPPET

Important Notes

• Digest Authentication sends data in the clear but not your username and password.
• Digest Authentication is not as universally supported as Basic Authentication.
• TLS/SSL has potential for “man-in-the-middle attacks“. MITM attacks are vulnerable if an attacker is able to insert itself between the server and client such as in a Phishing attack, ISP monitoring, or corporate LAN firewall certificate resigning. So read up on certificate verification!
• Apache access controls only protect the HTTP/HTTPS protocols. Look into IPtables for strong system wide firewall control.
• Most importantly, Security is a moving target so stay informed and do research! Perhaps by listening to a Podcast such as “Security Now!“.

The Conference itself was really busy.  They had 3 to 4 tracks every session, with at least 1 track being in English.  This really means that I wake up at 8am, conference starts at 9am, ends at 5pm, with 15min breaks between sessions.  After 5pm there is dinner or bars that we then go to and stay till 2am or 3am.  I have to say that I was completely exhausted when I finally got home.

The best part was I finally got to meet many people that I have only communicated with by email.  I was able to hang out with some of the German community members Hendrik, Joerg, Matthias, and Michael one evening.  We had some great talks about Germany, working in Germany, the future of Nagios, with American Politics splattered in there for good measure.

photo credit: Docklandsboy