Installing and using Git and GitHub on Ubuntu Linux: A beginner's guide


Installing and Using Git and GitHub on Ubuntu Linux: A Beginner's Guide

Git is a powerful version control system, and GitHub is a platform for hosting Git repositories. If you're working on a collaborative project or managing code, learning Git and GitHub is essential. In this beginner's guide, we will cover the steps to install Git, configure it, and get started with GitHub on an Ubuntu Linux system.

Table of Contents

  1. Introduction to Git and GitHub
  2. Installing Git on Ubuntu
  3. Setting Up Git Configuration
  4. Creating and Managing Local Git Repositories
  5. Creating a GitHub Account
  6. Connecting a Local Repository to GitHub
  7. Basic Git Commands
  8. Cloning a Repository from GitHub
  9. Making Changes and Pushing to GitHub
  10. Conclusion

1. Introduction to Git and GitHub

Git is a distributed version control system that allows developers to track changes in their code, collaborate with others, and manage their projects efficiently. GitHub is an online platform where developers can host and share Git repositories, collaborate on projects, and contribute to open-source software.

Whether you're developing software or managing content, Git and GitHub are invaluable tools for version control and collaboration.


2. Installing Git on Ubuntu

Installing Git on Ubuntu is straightforward. Follow these steps:

Step 1: Update Your Package List

Open your terminal and update your system’s package list to ensure you are installing the latest version of Git:

bash
sudo apt update

Step 2: Install Git

Once the update is complete, install Git using the following command:

bash
sudo apt install git

Step 3: Verify the Installation

After the installation is complete, verify that Git has been installed by checking the version:

bash
git --version

You should see an output that confirms the version of Git installed (e.g., git version 2.x.x).


3. Setting Up Git Configuration

Before using Git, you need to set up your user information that will be associated with the changes you commit.

Step 1: Set Your Username

Run the following command to set your global username:

bash
git config --global user.name "Your Name"

Step 2: Set Your Email Address

Next, set your email address with this command:

bash
git config --global user.email "your-email@example.com"

Step 3: Verify Configuration

You can verify your Git configuration by running:

bash
git config --list

This will display your username and email along with other settings.


4. Creating and Managing Local Git Repositories

Now that Git is installed, you can create a local Git repository to start managing your projects.

Step 1: Create a New Directory

First, create a directory where you will store your project. For example:

bash
mkdir my-project cd my-project

Step 2: Initialize a Git Repository

Initialize a Git repository in the directory with the following command:

bash
git init

This will create a new Git repository in your project folder, which you can now use to track changes.


5. Creating a GitHub Account

If you don't have a GitHub account yet, follow these steps to create one:

  1. Visit GitHub.
  2. Click Sign Up.
  3. Enter your email, username, and password.
  4. Follow the instructions to complete your account setup.

Once your account is ready, you can create repositories and share your code online.


6. Connecting a Local Repository to GitHub

After creating a local repository, you can link it to a GitHub repository to store your project online.

Step 1: Create a New Repository on GitHub

  1. Log in to your GitHub account.
  2. Click the New button on the repositories page.
  3. Enter a repository name and description, then click Create repository.

Step 2: Add the Remote URL to Your Local Repository

Once you create a repository on GitHub, you will get a remote URL. Add this remote URL to your local repository:

bash
git remote add origin https://github.com/username/repository-name.git

Step 3: Verify the Remote URL

To ensure the remote URL has been added successfully, run:

bash
git remote -v

7. Basic Git Commands

Here are some essential Git commands to get you started:

  • git status: Check the status of your repository (untracked files, changes, etc.).
  • git add: Add files to the staging area. Example:
    bash
    git add <filename>
  • git commit: Commit changes with a message. Example:
    bash
    git commit -m "Commit message"
  • git push: Push your commits to the remote repository (GitHub). Example:
    bash
    git push origin master
  • git pull: Fetch the latest changes from the remote repository. Example:
    bash
    git pull origin master

8. Cloning a Repository from GitHub

You can clone an existing GitHub repository to your local machine. Here's how:

Step 1: Get the Repository URL

Navigate to the repository you want to clone on GitHub, then copy the URL.

Step 2: Clone the Repository

In your terminal, use the following command to clone the repository:

bash
git clone https://github.com/username/repository-name.git

This will create a local copy of the repository on your machine.


9. Making Changes and Pushing to GitHub

Once you've made changes to your project, you can push them to your GitHub repository.

Step 1: Add Your Changes

After making changes to files, add them to the staging area:

bash
git add .

Step 2: Commit Your Changes

Commit your changes with a meaningful message:

bash
git commit -m "Added new feature"

Step 3: Push to GitHub

Finally, push your changes to the remote repository:

bash
git push origin master

Your changes are now reflected on GitHub!


10. Conclusion

Git and GitHub are essential tools for version control and collaboration, especially for developers. With this guide, you now have a basic understanding of how to install and use Git on Ubuntu, connect it to GitHub, and manage your code efficiently. Whether you’re working solo or with a team, these tools will help you track changes, collaborate on projects, and keep your code organized.

Happy coding!

Port-Forwarding With rinetd On Debian Etch

Port-Forwarding With rinetd On Debian Etch

This article shows how you can do port-forwarding with rinetd on Debian Etch. rinetd allows you to forward ports from one system to another. This useful if you have moved your web sites to a new server with a different IP address. Of course, you have modified your DNS records, but it can take a few days until DNS changes become effective, and that is where rinetd comes into play. If clients still use the old DNS records, rinetd can redirect them to the new server. With rinetd, you do not have to fiddle with iptables rules.



I do not issue any guarantee that this will work for you!

1 Preliminary Note

In this example I'm trying to redirect HTTP traffic (port 80) from the IP address 192.168.0.101 to the IP address 192.168.0.100.

Please note that rinetd is not able to redirect FTP because FTP requires more than one socket.

2 Installing And Configuring rinetd

To install rinetd, we simply run

apt-get install rinetd

rinetd's configuration file is /etc/rinetd.conf. To forward HTTP traffic from 192.168.0.101 to 192.168.0.100, we add the line 192.168.0.101 80 192.168.0.100 80:

vi /etc/rinetd.conf

#
# this is the configuration file for rinetd, the internet redirection server
#
# you may specify global allow and deny rules here
# only ip addresses are matched, hostnames cannot be specified here
# the wildcards you may use are * and ?
#
# allow 192.168.2.*
# deny 192.168.2.1?


#
# forwarding rules come here
#
# you may specify allow and deny rules after a specific forwarding rule
# to apply to only that forwarding rule
#
# bindadress bindport connectaddress connectport
192.168.0.101 80 192.168.0.100 80

# logging information
logfile /var/log/rinetd.log

# uncomment the following line if you want web-server style logfile format
# logcommon

Then we restart rinetd:

/etc/init.d/rinetd restart

Now run

netstat -tap

and you should see that rinetd is listening on port 80 (www):

server2:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:sunrpc *:* LISTEN 1956/portmap
tcp 0 0 server2.example.com:www *:* LISTEN 2485/rinetd
tcp 0 0 *:3025 *:* LISTEN 2347/rpc.statd
tcp 0 0 *:auth *:* LISTEN 2306/inetd
tcp 0 0 localhost.localdom:smtp *:* LISTEN 2294/exim4
tcp6 0 0 *:ssh *:* LISTEN 2326/sshd
tcp6 0 0 server2.example.com:ssh ::ffff:192.168.0.3:4776 ESTABLISHED2409/0
server2:~#

Now when you direct your browser to a web page on the IP address 192.168.0.101, it should receive that page from the server with the IP address 192.168.0.100.

Instead of specifiying the port numbers in /etc/rinetd.conf, you can also use the service names. The service names are stored in /etc/services, so when you open that file, you will see that the service for port 80 is named www on Debian.

grep 80 /etc/services

server2:~# grep 80 /etc/services
www 80/tcp http # WorldWideWeb HTTP
www 80/udp # HyperText Transfer Protocol

socks 1080/tcp # socks proxy server
socks 1080/udp
amanda 10080/tcp # amanda backup services
amanda 10080/udp
omirr 808/tcp omirrd # online mirror
omirr 808/udp omirrd
canna 5680/tcp # cannaserver
zope-ftp 8021/tcp # zope management by ftp
webcache 8080/tcp # WWW caching service
tproxy 8081/tcp # Transparent Proxy
omniorb 8088/tcp # OmniORB
omniorb 8088/udp
server2:~#

So you could use the following configuration in /etc/rinetd.conf, it has the same effect as the first one:

vi /etc/rinetd.conf

#
# this is the configuration file for rinetd, the internet redirection server
#
# you may specify global allow and deny rules here
# only ip addresses are matched, hostnames cannot be specified here
# the wildcards you may use are * and ?
#
# allow 192.168.2.*
# deny 192.168.2.1?


#
# forwarding rules come here
#
# you may specify allow and deny rules after a specific forwarding rule
# to apply to only that forwarding rule
#
# bindadress bindport connectaddress connectport
192.168.0.101 www 192.168.0.100 www

# logging information
logfile /var/log/rinetd.log

# uncomment the following line if you want web-server style logfile format
# logcommon

And to make rinetd listen on all IP addresses that are configured on the system where it is installed, we can use 0.0.0.0 as the bindaddress:

vi /etc/rinetd.conf

#
# this is the configuration file for rinetd, the internet redirection server
#
# you may specify global allow and deny rules here
# only ip addresses are matched, hostnames cannot be specified here
# the wildcards you may use are * and ?
#
# allow 192.168.2.*
# deny 192.168.2.1?


#
# forwarding rules come here
#
# you may specify allow and deny rules after a specific forwarding rule
# to apply to only that forwarding rule
#
# bindadress bindport connectaddress connectport
0.0.0.0 80 192.168.0.100 80

# logging information
logfile /var/log/rinetd.log

# uncomment the following line if you want web-server style logfile format
# logcommon

After you've restarted rinetd...

/etc/init.d/rinetd restart

... rinetd should now listen on all interfaces (*:www):

netstat -tap

server2:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:sunrpc *:* LISTEN 1956/portmap
tcp 0 0 *:www *:* LISTEN 2503/rinetd
tcp 0 0 *:3025 *:* LISTEN 2347/rpc.statd
tcp 0 0 *:auth *:* LISTEN 2306/inetd
tcp 0 0 localhost.localdom:smtp *:* LISTEN 2294/exim4
tcp 0 0 server2.example.com:www 192.168.0.3:4798 TIME_WAIT -
tcp6 0 0 *:ssh *:* LISTEN 2326/sshd
tcp6 0 148 server2.example.com:ssh ::ffff:192.168.0.3:4776 ESTABLISHED2409/0
server2:~#

3 Links



Using IPv6 On Debian Etch

Using IPv6 On Debian Etch

This document describes how you can configure a Debian Etch system for IPv6 so that a) it can connect to other IPv6 hosts and b) other IPv6 hosts can connect to it. IPv6 should become more important in the future as recent estimates assume that there will be no more IPv4 addresses left by 2010 or 2011. Therefore it's time time to learn IPv6.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!


1 Preliminary Note

In this tutorial I'm using a Debian server in a LAN (i.e., it uses a router to connect to the Internet) with the ethernet device eth0 and the IPv4 address 192.168.0.100. The router's public IP address at the time of this writing was 85.176.139.73. With IPv6, other systems can connect directly to the Debian system, regardless of the router and NAT. This tutorial will work for Debian systems that are connected directly to the Internet (i.e., no NAT, no router) as well.

To use IPv6, we will configure a tunnel that connects our IPv6 Debian system to IPv6 hardware on the other end (run by a so-called "tunnel broker") and thus to the IPv6 backbone. This tunnel is necessary because most ISPs don't support direct IPv6 connectivity, and it doesn't make sense to route IPv6 traffic over an IPv4 network because chances are that the next-hop router doesn't know what to do with this traffic.

There are multiple tunnel brokers that give you a tunnel and IPv6 addresses for free (e.g. http://tunnelbroker.net/, http://go6.net/4105/freenet.asp, http://www.sixxs.net/). These tunnel brokers are connected to the IPv6 backbone, and the tunnel connects your Debian Etch system to their IPv6 hardware and therefore to the IPv6 backbone.

2 Creating A Tunnel

Register with a tunnel broker - I'm using http://tunnelbroker.net/ as they are very fast - you can be up and running in a few minutes. Then log in on their web interface and create a tunnel ("Create Regular Tunnel" on the http://tunnelbroker.net/ web site). Fill in the IPv4 endpoint (this is the public IPv4 address of your Debian system - if it is behind a router, this is your router's public IPv4 address) and select a location close to you (these are the locations where the tunnel broker has POPs, i.e., connections to the IPv6 backbone):

Afterwards you will see a screen with the details of your tunnel.

These are the details for my test tunnel:

Server IPv4 address: 216.66.80.30
Server IPv6 address: 2001:0470:1f0a:cc0::1/64
Client IPv4 address: 85.176.139.73
Client IPv6 address: 2001:0470:1f0a:cc0::2/64

Please write down the Server IPv4 address (216.66.80.30), the Server IPv6 address (2001:0470:1f0a:cc0::1), and the Client IPv6 address (2001:0470:1f0a:cc0::2). We will need them in a moment.

3 Configuring The Debian System

Log in to your Debian system and take a look at the output of

ifconfig

server1:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:A5:5B:93
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea5:5b93/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:71 errors:0 dropped:0 overruns:0 frame:0
TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7789 (7.6 KiB) TX bytes:5809 (5.6 KiB)
Interrupt:169 Base address:0x1400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

server1:~#

Nothing special here, but the inet6 addr in the output means that the system is IPv6 capable.

Now we configure our new public IPv6 address and the tunnel as follows:

ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.80.30 #(please replace the IPv4 address with the IPv4 address of the tunnel broker server that you've chosen in the previous step)
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:0470:1f0a:cc0::2/64 #(please replace the IPv6 address with your own IPv6 address)
route -A inet6 add ::/0 dev sit1

That's it already. Take a look at

ifconfig

again, and you should see two new interfaces (sit0 and sit1) that are needed for our tunnel:

server1:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:A5:5B:93
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea5:5b93/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:145 errors:0 dropped:0 overruns:0 frame:0
TX packets:163 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12833 (12.5 KiB) TX bytes:19303 (18.8 KiB)
Interrupt:169 Base address:0x1400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

sit0 Link encap:IPv6-in-IPv4
inet6 addr: ::127.0.0.1/96 Scope:Unknown
inet6 addr: ::192.168.0.100/96 Scope:Compat
UP RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

sit1 Link encap:IPv6-in-IPv4
inet6 addr: 2001:470:1f0a:cc0::2/64 Scope:Global
inet6 addr: fe80::c0a8:64/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

server1:~#

Now we can test if we can ping the IPv6 address of the tunnel broker's server:

ping6 -c4 2001:0470:1f0a:cc0::1

server1:~# ping6 -c4 2001:0470:1f0a:cc0::1
PING 2001:0470:1f0a:cc0::1(2001:470:1f0a:cc0::1) 56 data bytes
64 bytes from 2001:470:1f0a:cc0::1: icmp_seq=1 ttl=64 time=16.8 ms
64 bytes from 2001:470:1f0a:cc0::1: icmp_seq=2 ttl=64 time=40.5 ms
64 bytes from 2001:470:1f0a:cc0::1: icmp_seq=3 ttl=64 time=37.5 ms
64 bytes from 2001:470:1f0a:cc0::1: icmp_seq=4 ttl=64 time=37.5 ms

--- 2001:0470:1f0a:cc0::1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 16.880/33.135/40.550/9.466 ms
server1:~#

Looks good.

http://www.ipv6.org/v6-www.html has a list of IPv6 hosts. Let's pick one of them and test if we can ping it as well:

ping6 -c4 www.ipv6.uni-muenster.de

server1:~# ping6 -c4 www.ipv6.uni-muenster.de
PING www.ipv6.uni-muenster.de(tolot.ipv6.uni-muenster.de) 56 data bytes
64 bytes from tolot.ipv6.uni-muenster.de: icmp_seq=1 ttl=57 time=29.3 ms
64 bytes from tolot.ipv6.uni-muenster.de: icmp_seq=2 ttl=57 time=38.7 ms
64 bytes from tolot.ipv6.uni-muenster.de: icmp_seq=3 ttl=57 time=60.4 ms
64 bytes from tolot.ipv6.uni-muenster.de: icmp_seq=4 ttl=57 time=23.1 ms

--- www.ipv6.uni-muenster.de ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 23.194/37.940/60.454/14.127 ms
server1:~#

Ok, pinging other hosts is working fine. Now let's see if our system can be pinged on our public IPv6 address as well. Go to http://www.berkom.blazing.de/tools/ping.cgi and fill in your public IPv6 address. If all goes well, the output should be similar to this one:

Congratulations, IPv6 is now working on your system!

If you don't want to configure the sit0 and sit1 interfaces manually after each reboot, you can create the file /etc/network/if-up.d/ipv6 as follows:

vi /etc/network/if-up.d/ipv6

#!/bin/sh

PATH=/sbin:/bin

ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::216.66.80.30
ifconfig sit1 up
ifconfig sit1 inet6 add 2001:0470:1f0a:cc0::2/64
route -A inet6 add ::/0 dev sit1

(Replace the IPv4 and IPv6 addresses with your own values!)

Then make the file executable:

chmod 755 /etc/network/if-up.d/ipv6

Now whenever the system boots, it starts the sit0 and sit1 interfaces automatically.




phpsh, An Interactive Shell For PHP (Debian Etch)

phpsh, An Interactive Shell For PHP (Debian Etch)

phpsh is an interactive shell for php that features readline history, tab completion, quick access to documentation. It was developed at Facebook and ironically, is written mostly in python. This article explains how you can install/use it on a Debian Etch system.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

1 Installing phpsh

phpsh depends on PHP (4 or 5, 5 is recommended) and Python 2.4+, therefore we install PHP5 and Python as follows:

apt-get install php5-cli python

Afterwards we download and uncompress phpsh as follows:

wget http://www.phpsh.org/phpsh-latest.tgz
tar xvfz phpsh-latest.tgz

This creates the directory phpsh with the phpsh executable. Before we can run phpsh, we must make it executable:

cd phpsh
chmod 755 phpsh

2 Using phpsh

Now we can start the PHP shell simply by running

./phpsh

http://www.phpsh.org/readme.php shows how you can use the PHP shell. You can use tab to autocomplete function names, global variable names, constants, classes, and interfaces, and you can use the arrow keys to browse the command history. The equal sign at the beginning of a line will return the value of an expression.

Type

q

to leave the PHP shell.

Here's a sample output:

server1:~/phpsh# ./phpsh
I can't find a tags file for you. To enable tab completion in phpsh,
go to the root directory of your php code and run 'ctags -R',
(or whatever the analagous command is with your version of ctags,)
then run phpsh from that directory or a subdirectory of that directory.
Commandline: php -q /root/phpsh/phpsh.php
phpsh (c)2006 by Charlie Cheever and Dan Corson and Facebook, Inc.
type 'h' or 'help' to see instructions & features
New Feature: You can use the -c option to turn off coloring
php> = 2 + 3
5
php> $test = "This is a test.";
php> echo $test;
This is a test.
php> = array(array(1,2,3), array("a" => "b", "c" => "d", "e" => "f"), 'g', 'h')
Array
(
[0] => Array
(
[0] => 1
[1] => 2
[2] => 3
)

[1] => Array
(
[a] => b
[c] => d
[e] => f
)

[2] => g
[3] => h
)

php> $a = "abcdefg";
php> echo substr($a,0,3);
abc
php> q

server1:~/phpsh#




Hardening The Linux Kernel With Grsecurity (Debian)

Hardening The Linux Kernel With Grsecurity (Debian)

Security is based on three characteristics: prevention, protection and detection. Grsecurity is a patch for Linux kernel that allows you to increase each of these points.

This howto was performed on a Debian Lenny system. Thus some tools are Debian specific. However, tasks can be performed with other distro specific tools or even with universal tools (make).

Everything will done with root privileges. However, you can perform them with a limited account thanks to sudo and fake-kpkg tools.

1. Preliminary Note

To compile the kernel, you need to install some specific packages:

rom1:/root# aptitude install patch bin86 kernel-package build-essential

If you like to configure your kernel in graphical console mode (make menuconfig), you must install one more package:

rom1:/root# aptitude install libncurses5-dev

Check that iniramfs-tools (used to generated the init ramdisk) is installed (it should be):

rom1:/usr/src# dpkg -l initramfs*

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii initramfs-tool 0.85i tools for generating an initramfs
rom1:/usr/src#

Go to the source folder:

rom1:/root# cd /usr/src

Download the grsecurity patch and the

2.6.24.5

Linux vanilla kernel:

rom1:/usr/src# wget grsecurity.net/grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz

rom1:/usr/src# wget eu.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.5.tar.gz

NB: you may need to configure wget in case you are using an HTTP proxy (which may use authentication). You need to edit /root/.wgetrc so it looks like this:

http_proxy=192.168.0.1
proxy-user=foo # Put this line if you need to authenticate against your proxy
proxy-passwd=bar # Put this line if you need to authenticate against your proxy

Decompress the archive of the kernel:

rom1:/usr/src# tar xzvf linux-2.6.24.5.tar.gz

Create a symbolic link on the new kernel folder to ease the following tasks:

rom1:/usr/src# ln -s linux-2.6.24.5 linux

Now, the environment is ready. Let's go hardening!

2. Patch the vanilla kernel

Move the grsecurity patch to the new directory:

rom1:/usr/src# mv grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz linux/grsecurity-2.1.11-2.6.24.5-200804211829.patch.gz

Decompress and patch the source of the kernel:

rom1:/usr/src# cd linux

rom1:/usr/src/linux# gunzip <>

Now the patch is applied and the source of the kernel was modified. Let's configure the kernel to enable Grsecurity.

3. Configure the hardened kernel

In this example, we will configure the kernel using a console menu (make menuconfig). This is why we installed the libncurses5-dev package. However, you can configure in pure console mode (make config), or in GUI mode (make xconfig).

Grsecurity has predefined levels: low, medium, high. It can also be configured in custom level where you choose to enable or not option by option. See http://www.grsecurity.net/confighelp.php/ for more info on each option. In this HowTo, we will configure Grsecurity in High level.

rom1:/usr/src/linux# make menuconfig

Now, we will enable Grsecurity in the menu.

Go to Security options > Grsecurity > tick Grsecurity. Then, you can go to Security Level and tick High.

You can profit from configuring Grsecurity to optimise your kernel. Eg: On your server you probably don't need support for infrared, blutooth, probably neither wifi, ipx, X25, token ring, ATM, firewire, PCcard, joystick, mouse, sound....

4. Compile the hardened kernel

It is now time to compile your hardened kernel. First, just in case, clean up:

rom1:/usr/src/linux# make-kpkg clean

Launch compilation itself (this may take a while depending on your CPU power and RAM availability!!!):

rom1:/usr/src/linux# make-kpkg --initrd --append-to-version "grsec1.0" kernel_image

In case you are not using a Debian distro, you can compile the classic way with:

make mrproper
make menuconfig
make clean
make
make modules_install
mkinitramfs
make install

5. Install the hardened kernel

Your new kernel is now compiled and a .deb package file has been generated in the /usr/src folder. You need to install your kernel as any .deb package:

rom1:/usr/src# dpkg -i linux-image-2.6.24.5-grsec_grsec1.0_i386.deb

During the installation, an initrd image will be generated. This may take a while depending on your CPU power and RAM availability! You may also check that the new kernel image is really a kernel !

rom1:/usr/src# file vmlinuz-2.6.24.5-grsec
vmlinuz-2.6.24.5-grsec: Linux kernel x86 boot executable RO-rootFS, root_dev 0x801, swap_dev 0x1, Normal VGA

It is now time to restart your system with your new hardened kernel:

rom1:/usr/src/linux# shutdown -r now

Now that your system has restarted, you can check that your new kernel is running:

rom1:~# uname -r

2.6.24.5-grsec

6. Testing the hardened kernel

Except the fact that uname -r is saying your kernel is a grsec one, how do you know you are running a hardened kernel ? This is where we will use paxtest which will simulate an attack on the kernel and show if you are vulnerable or not. Download paxtest:

rom1:/tmp# wget http://www.grsecurity.net/~paxguy1/paxtest-0.9.7-pre5.tar.gz

Extract it:

rom1:/tmp# tar xzvf paxtest-0.9.7-pre5.tar.gz
rom1:/tmp# cd paxtest-0.9.7-pre5

Compile it (type make to have the list of targets):

rom1:/tmp/paxtest-0.9.7-pre5# make generic

Run it (there are 2 differents modes: kiddie and blackhat):

rom1:/tmp/paxtest-0.9.7-pre5# ./paxtest kiddie

NB: unless you are using high grsecurity level or custom level, you will have a vulnerable kernel. Indeed, you are only getting userland ASLR protection in a medium mode.

7. Links




JS-Kit Comments