Thejesh GN

A Blog, A Website and A container for all my views with excerpts from technology, travel, films, india, photography, kannada, friends and other interests. I am Thejesh GN. Friends call me Thej

Grand Parents

Posted by Thejesh GN On September - 22 - 20122 COMMENTS

I didnt get to spend time with my grandparents. I really dont know how kids interact with their grand parents. Its fun too watch how my parents communicate with their grand kids (my sisters kids). Kind of very new experience for me.

Read the rest of this entry »

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 4.50 out of 5)
Loading ... Loading ...

Securing your server using DenyHosts

Posted by Thejesh GN On September - 21 - 2012ADD COMMENTS

Running an internet accessible server means you are opening yourself to crackers. Running the server in itself is a risk, so risk management is of top priority when you open up the ports for accessing the server.
The standard ports are 80(http), 443(https) and mostly 22(for ssh). Port 22 is the most important one. Even though ssh assures secure (encrypted) communication. It’s still not safe, say against dictionary attacks. You can do few things to manage the risk

1. Change the ssh port from 22 to something else. This is simple. Even though it doesn’t protect against the attacks, it will surely slowdown the automated attacks.

#1.Edit the sshd_config 
nano /etc/ssh/sshd_config 
#2.Locate the below line and change the number 22 to say 1001
Port 22
#3.restart sshd 
service sshd restart
#or by running
/etc/init.d/ssh restart

2. Installing and DenyHosts to control the logins through ssh

#1.Install the denyhosts.
sudo apt-get install denyhosts
#2.edit the denyhosts config
sudo nano /etc/denyhosts.conf
#3.restart denyhosts
sudo /etc/init.d/denyhosts restart
#4.check the logs to see who is trying to login etc
less /var/log/auth.log
#5.see what ip address are blocked
less /etc/hosts.deny

It’s important to go through every configurable item in denyhosts.conf before you enable denyhosts. According to me the most important ones are below. These are three important thresholds which will lockup the ip address.

#########################################################
# DENY_THRESHOLD_INVALID: block each host after the 
# number of failed login attempts has exceeded this value.  
# This value applies to invalid user login attempts
# (eg. non-existent user accounts)
#
DENY_THRESHOLD_INVALID = 5
#
##########################################################
# DENY_THRESHOLD_VALID: block each host after the number 
# of failed login attempts has exceeded this value.  This 
# value applies to valid user login attempts (eg. user 
# accounts that exist in /etc/passwd) except for the "root" 
# user
DENY_THRESHOLD_VALID = 10
#
##########################################################
# DENY_THRESHOLD_ROOT: block each host after the number of
# failed login attempts has exceeded this value.  This 
# value applies to "root" user login attempts only.
#
DENY_THRESHOLD_ROOT = 1
#########################################################

Remember denyhosts deosn’t lock the account. It locks only the IP address from where an user/cracker tried to login. So in case if you are locked yourself out. Try login from a different IP address (make sure your password right this time) and follow the steps below to remove your IP address.

  1. Stop DenyHosts
  2. Remove the IP address from /etc/hosts.deny
  3. Edit WORK_DIR/hosts and remove the lines containing the IP address. Save the file.
  4. Edit WORK_DIR/hosts-restricted and remove the lines containing the IP address. Save the file.
  5. Edit WORK_DIR/hosts-root and remove the lines containing the IP address. Save the file.
  6. Edit WORK_DIR/hosts-valid and remove the lines containing the IP address. Save the file.
  7. Edit WORK_DIR/user-hosts and remove the lines containing the IP address. Save the file.
  8. (optional) Consider adding the IP address to WORK_DIR/allowed-hosts
  9. Start DenyHosts

You can try Fail2Ban if you want an alternative. Also remember DenyHosts is just one of the security related steps you have to take and not the only step.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading ... Loading ...

Introducing Bangalore Open Data Repository

Posted by Thejesh GN On September - 15 - 20121 COMMENT

Update: Bangalore Open Data Repository has a new home. Its called OpenBangalore.org. Please bookmark it,

I have been collecting data about Bangalore for years. The collected data includes GIS, election, weather reports etc and were from different sources. I have been meaning to distribute it online for a while now. Two big reasons to do it were

  1. Unlock data which was locked up in some govt institutes and make it available to everybody
  2. Help data enthusiasts, data scientists, researchers, journalists and developers who are interested in Bangalore and its data.

At last I figured a way to do it. It’s through a mercurial repository available at Bangalore Open Data Repository. That’s probably the easiest way to distribute and collaborate. If you are a developer you can just clone the project. If not you can download the data dump.

License:
The chosen license is ODbL. For those who don’t know, it’s similar to Creative Commons, Share Alike and Attribute License. It’s used to keep the modifications or additions to data open as well. A gist of the license below.

You are free:

To Share: To copy, distribute and use the database.
To Create: To produce works from the database.
To Adapt: To modify, transform and build upon the database.

As long as you:

Attribute: You must attribute any public use of the database, or works produced from the database, in the manner specified in the ODbL. For any use or redistribution of the database, or works produced from it, you must make clear to others the license of the database and keep intact any notices on the original database.
Share-Alike: If you publicly use any adapted version of this database, or works produced from an adapted database, you must also offer that adapted database under the ODbL.
Keep open: If you redistribute the database, or an adapted version of it, then you may use technological measures that restrict the work (such as DRM) as long as you also redistribute a version without such measures.

The repository also has code examples to play with the data and to convert it from one format to another. All code examples are available under BSD license unless otherwise specified.

Contribute:
You are more than welcome to contribute to the project. There are mainly four ways to contribute to this project.

  1. The easiest way is to send me data if you have any. Don’t worry about the format or any other details. Open an email, attach data and click send. If you want it to be confidential then use my GPG keys. I promise not to leak this information to anybody.
  2. Contribute by cleaning up the data. All our data is available in some open format. Download (clone it if you like), clean it, use it and send it back to me.
  3. If you are a developer you can send the code examples as hacks. Make sure the code is in BSD or a similar license.
  4. If you are a researcher or visualizer, go ahead and use the data. It would be great if you can add a link attributing the project and send us a mail about it. I will list it on our project page.

Please do send me your comments to improve the project. BTW bookmark the link if you haven’t already.

http://code.thejeshgn.com/bangalore

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 4.00 out of 5)
Loading ... Loading ...

Securing your wordpress with self-signed SSL certificate

Posted by Thejesh GN On September - 12 - 20121 COMMENT

I have been wanting to do this for a long time now. At last thejeshgn.com is available through https. It’s mostly done for my own use than my readers. I wanted to protect the admin screen (basically wp-admin). Given that I use my own VPN on public wifi, it may seem less important. But SSL gives a great advantage of blogging-in from a cyber café, which I do (in extreme situations) when I am traveling. Never the less more security is no harm.

I choose to generate my certificate because I am planning to use it only for myself. In future if I ever to have a reader focused https site I will surely get one from certifying authority.

Below is the how-to for generating your own certificate and enabling it on wordpress/apache combo.

  1. Generate a Private Key
    The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
    openssl genrsa -des3 -out server.key 1024
  2. Generate a CSR (Certificate Signing Request)
    openssl req -new -key server.key -out server.csr
  3. Remove Passphrase from Key
    cp server.key server.key.org
    openssl rsa -in server.key.org -out server.key
  4. Generating a Self-Signed Certificate
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  5. Moving the certificates to apache folder
    or your hosting provider should give a way to upload them.
    cp server.crt /usr/local/apache/conf/ssl.crt
    cp server.key /usr/local/apache/conf/ssl.key
  6. Enabling wordpress to work with SSL
    edit wp-config.php
    Set the constant FORCE_SSL_ADMIN to true to force all logins and all admin sessions to happen over SSL.
    define(‘FORCE_SSL_ADMIN’, true);
  7. Install wordpress-https plugin.
    This will help in configuring finer details. Like you can enable/disable https for specific pages or posts.

Since we are using self signed SSL certificate. Browser throws scary errors when you try to use the URL. Accept the certificate exception. But before accepting it verify the SHA/MD5 fingerprints to make sure its yours. I check it every time I login.

Firefox add exception

Check fingerprint

Even when you are the specific page you can click on the lock icon in the url bar and verify the fingerprints.

Happy and secure blogging.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading ... Loading ...

Shankar Nag – All India Radio Program

Posted by Thejesh GN On September - 11 - 20121 COMMENT

Found them on Youtube, Tried my best to remove the noise. Its much much better now. Have fun listening


1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 4.50 out of 5)
Loading ... Loading ...

Get in touch