Nagios Installation and Configuration: Part One

NagiosNagios is an open source computer system monitoring, network monitoring and infrastructure monitoring software application. It enables organizations to identify and resolve IT infrastructure problems before they affect critical business processes, and offers monitoring and alerting services. It alerts the users when things go wrong, and alerts them a second time when the problem has been resolved.

Nagios was originally designed to run under Linux, but it also runs well on other Unix variants. It is licensed under the terms of the GNU GPL version 2. It was originally created under the name NetSaint, and was written and maintained by Ethan Galstad along with a group of developers who are actively maintaining both the official (and unofficial) plugins. The name of NetSaint was changed in response to a legal challenge by owners of a similar trademark; Nagios is a recursive acronym which stands for “Nagios Ain’t Gonna Insist On Sainthood”.

Nagios includes the following capabilities, among others:

  • Monitoring of network services
  • Monitoring of host resources (processor load, disk usage, system logs) on a majority of network operating systems (including Microsoft Windows)
  • Monitoring of anything else like probes which have the ability to send collected data via a network to specifically written plugins
  • Monitoring via remotely run scripts via Nagios Remote Plugin Executor
  • Remote monitoring supported through SSH or SSL encrypted tunnels


Nagios Installation

The process of installing Nagios under Linux is fairly straightforward. First, you need to install some prerequisites, which you can get from the repositories. First, install Apache 2 and the Apache PHP libraries:

sudo apt-get install apache2
sudo apt-get install libapache2-mod-php5

Next, install the GCC compiler and development libraries:

sudo apt-get install build-essential

Finally, you need to install the GD 2 development libraries. With some distributions, you install it like this:

sudo apt-get install libdg2-dev

But with some newer distros (including Ubuntu 7.10 and above), the name of the gd2 library has changed:

sudo apt-get install libgd2-xpm-dev

Next, you need to set up the Nagios account. Start by becoming the root user:

sudo -s

Now create a new user and give it a password:

/usr/sbin/useradd -m -s /bin/bash/nagios
passwd nagios

On some distros, you may need to add a group, but on newer server versions of Ubuntu, you can skip this step:

/usr/sbin/groupadd nagios
/usr/sbin/usermod -G nagios nagios

In either case, you will need to create a new nagcmd group for allowing external commands to be submitted through the web interface, and to add the nagios user and the Apache user to the group:

/usr/sbin/groupadd nagcmd
/usr/sbin/usermod -a -G nagcmd nagios
/usr/sbin/usermod -a -G nagcmd www-data

Now you need to download the nagios souce code tarball from the download section of the official Nagios web site. You probably also want to download the plugins tarball as well. Unpack the tarball:

tar xzf nagios-4.0.8.tar.gz
cd nagios-4.0.8

Then run the configure script, passing the name of the group you created earlier:

./configure –with-command-group=nagcmd

Compile the source code:

make all

Next, install the binaries, init script, sample config files and set permissions on the external command directory:

make install
make install-init
make install-config
make install-commandmode

This takes care of Nagios installation. In the next article, we will cover installation of the plugins and configuration.


External Links:

The official Nagios site

Nagios on Wikipedia

netio: A Network Benchmark Tool

netio

netio in action under pfSense 2.1.5.

netio is a network benchmark utility for OS/2 2.x, Windows, Linux and Unix. It measures the net throughput of a network via TCP and UDP protocols using various different packet sizes. For netio to run a benchmark, one instance has to be run on one computer as a server process, while another instance is used on another computer to perform the benchmark. Starting with version 1.20, multi-threading support is required. While this does not affect anyone using the program under Linux or BSD, it did mean that DOS was no longer supported.

netio: Installation and Use

To install netio under pfSense, navigate to System -> Packages, and scroll down to netio in the list. Press the “plus” button to begin installation, and on the next screen, press “Confirm” to confirm installation. netio should complete installation within a few minutes.


Once netio is installed, there will be a new item on the Diagnostics menu called “netio“. If you navigate to it, you will find two tabs: “Client” and “Server“. The “Client” tab, appropriately enough, is to configure netio to run as a client, while “Server” will allow it to act as a server. On the “Client” tab there are two settings: “Server” (for the IP address or hostname netio will connect to) and “Port” (for the port that netio will connect to). On the “Server” tab, there is only one field: “Port“, to specify the port netio will bind to (the default is 18767). Press the “Save” button at the bottom to save settings.

Running netio at the command prompt under Windows 8.1.

Whether you run netio as a client or server, netio requires another node with which to connect. As a result, you are going to have to download netio, which you can do from the official netio site. The zip file contains both the source code and binaries for several platforms, including Windows, Linux, BSD, OS/2 and Mac OS X. Select the right binary for your platform and run netio from your system’s command prompt/shell.

At the risk of stating the obvious, if you are running netio under pfSense as a server, then you want to be running it under the other system as a client, and vice-versa. To test netio, I decided to run it under pfSense as a server (I kept the default port and just pressed “Save”). In Windows, I typed:

win32-i386 -t 192.168.2.1

where win32-i386 is the name of the windows executable, -t specifies the TCP protocol, and 192.168.2.1 is the IP address of the server (my pfSense box). The output of netio can be seen in the screenshot on the right.

And here we are running it under Linux Mint 17.

One problem with this program is that it seems if you connect with one protocol (e.g. TCP), you cannot connect to the server again with another protocol (e.g. UDP). If you try to do this and you get an “error code 10060” message, try restarting the server and then attempt a client connection a second time.

Did I mention that netio supports several platforms? This last screenshot shows what happened when I ran netio under Linux on an old IBM Lenovo M51 running Mint Linux 17. The only shortcoming is that the binary for Linux is version 1.30 of the program, not the latest version (1.32). Thus if you want the latest version under Linux, you’ll have to compile it yourself.


External Links:

The official netio site

Network Traffic Monitoring with vnStat

Network traffic monitoring

Configuring settings with vnStat under pfSense.

vnStat is a console-based program for network traffic monitoring in Linux and BSD. It keeps a log of hourly, daily, and monthly network traffic for the selected interfaces. It uses the network interface statistics provided by the kernel as an information source. This means two things. [1] vnStat isn’t a packet sniffer. But equally important [2] vnStat does not heavily tax system resources. A Linux kernel of at least 2.2 is required. Here, we are concerned with installing and configuring vnStat under pfSense.

Network Traffic Monitoring with vnStat: Installation and Configuration

To install vnStat under pfSense, navigate to System -> Packages and click on the “Available Packages” tab. Scroll down the list of available packages to vnStat, and press the “plus” button on the right side of the entry. On the next page, press the “Confirm” button to confirm installation, which should not take more than a few minutes.


In order to create a vnStat database for an interface, you need to start an SSH session with your pfSense box or access it directly from the console. Then type “8” at the pfSense menu to start a shell session. At the command line, type the following:

vnstat -u -i eth0

where eth0 is the interface to be monitored.

Network traffic monitoring

Viewing stats for the LAN interface with vnStat.

Once installation is complete, you can begin network traffic monitoring. There should be an entry under the Status menu called “Vnstat2“. Navigate to Status -> Vnstat2 and click on the “Config” tab for VnStat configuration options. The “MonthRotate” dropdown box allows you to specify the day of month that months are expected to change. This is usually set to 1, but it can be set to alternate values. For example, if you need to track monthly billed traffic where the billing period does not start on the first day of the month, you can change this parameter accordingly. The “Enable php frontend for vnstat” check box allows you to enable the vnstat frontend (no login needed).

On the second tab, “Vnstati“, you can see pie charts, bar graphs and tables detailing usage of the interface selected from the dropdown box. You can only see information, however, with interfaces for which databases were created. By clicking on the “Access vnstat php frontend” tab, you can access the php frontend, if it is installed and enabled (you can download this frontend from sqweek.com. From the “vnstat info” tab, you can see information about selected interfaces (once you select an interface, the information presented can be filtered via the dropdown box at the top – for example, you can choose to see only activity for the last 24 hours). The “vnstat summary” tab allows you to see a summary of all interfaces for which databases were created.


External Links:

Vnstat at doc.pfsense.org

PHP frontend for VnStat at sqweek.com

Securing Ports and Services

Securing portsA computer system that is not connected to a network is a rarity. While this provides some flexibility in terms of remote services, data and information that are available, it also brings considerable risks. It is probably correct to assume that any computer connected to a network is in danger of being attacked in some way. Secure computer environments, in many cases used by government defense organizations, often have no contact with the outside world, even if they are networked to each other, and as a result, they often have greater success in securing ports and services.

The predominant network communications protocol is TCP/IP. It is the protocol used by the Internet and thus has supplanted most of the formerly popular protocols used for local area networks (LANs). However, TCP/IP was conceived to send and receive data reliably, not to secure it. Securing the data (and securing ports) is the job of applications listening and sending on specific ports.

TCP/IP defines a total of 65,535 ports of which 1023 are considered to be well-known ports. These are, of course, not physical ports into which network cables are connected, but rather virtual ports on each network connection which can be used by applications and services to communicate over a TCP/IP connection. In reality, the number of ports that are used by popular network clients and services comprises an even smaller subset of the well-known group of ports, which makes the task of securing ports somewhat easier.

There are a number of different TCP/IP services which can be provided by an operating system. Such services include HTTP for running a web server, FTP for allowing file transfers, SSH and Telnet for providing remote login access and SMTP for the transport of e-mail messages. Each service in turn is assigned a standard TCP/IP port. For example, port 80 is for HTTP requests; port 21 is for File Transfer Protocol (FTP); port 17 is for the quote of the day.


Securing Ports and Services: How It’s Done

A large part of securing ports and securing servers involves defining roles, and based on the roles, defining which services and ports should be enabled. For example, a server that is to act solely as a web server should only run the HTTP service, and perhaps SSH for remote administration access. All other services should be disabled, and ideally, removed entirely from the operating system. Removing the service will make it harder for an intruder to re-enable the service. Thus, while it is necessary for some ports to be open to Internet traffic, it is also necessary to ensure that only the bare minimum are exposed and that the software on the system is as up to date as possible.

Securing a system involves (a) removing any unnecessary services from the operating system and (b) ensuring that the ports associated with these non-essential services are blocked using a firewall.

Many operating systems are installed with a number of services installed and activated by default. Before installing a new operating system, it is essential that the installation be carefully planned. This involves deciding which services are not required and identifying which services have been installed and enabled by default. It helps if deployment is not rushed; the fewer services and open ports available on a system, the smaller the surface area and opportunities for attackers. In addition, it is essential to turn on automatic updates, both for Windows and Linux, as well as for your antivirus software.

As for the firewall, you will want to have a dedicated firewall between your network and the Internet. Although not absolutely essential, it is good practice to have a personal firewall on each computer. In securing ports, you should make sure your firewall is closed to all traffic other than to the ports you know should be open. Because some malicious software can silently open ports, it is a good idea to check them yourself and close any that you do not need open.


External Links:

TCP/UDP ports on Wikipedia

How to secure your TCP/IP ports at techradar.pro

Backup Your Network with Bacula

backup

Adding a director to bacula-client under pfSense 2.1.3.

Bacula is an open source, enterprise-level computer backup system for heterogeneous networks. It is designed to automate backup tasks that had often required intervention from a systems administrator. Bacula supports Linux, UNIX, Windows and Mac OS X backup clients, although here we are mainly concerned with the Bacula package running under pfSense. It also supports a range of professional backup devices, including tape libraries. Administrators and operators can configure Bacula via a command-line console, GUI or web interface. Its backend is a catalog of information stored by MySQL, PostgreSQL, or SQLite. Bacula is the collective work of many developers, including Kern Sibbald, and has been under development for fourteen years as of this writing. It is open source and is available without fees for both commercial and non-commercial applications, under the AGPL version 3 license, with exceptions to permit linking with OpenSSL and distributing Windows binaries.

Bacula Backup: Installation and Configuration

The Bacula server has to be installed separately. Depending on which platform/operating system you are using, you may have to compile Bacula, although Bacula seems to be present in the Red Hat Enterprise Linux (RHEL) and CentOS repositories. To install the Bacula client under pfSense, navigate to System -> Packages, and scroll down to bacula-client on the package list. Press the “plus” button to the right of the entry, and press “Confirm” to confirm installation. Installation of Bacula should not take long.

Once installation is complete, there will be a new entry under the “Services” directory called “Bacula-client“. The configuration files for Bacula will not be generated until you have saved a configuration change. To understand the configuration options, it helps to understand the architecture of Bacula.


Bacula is made up of the following five major components or services: Director, Console, File, Storage, Catalog and Monitor services:

  • Director: The director service is the program that supervises all the backup, restore, verify and archive operations. The system administrator uses the director to schedule backups and to recover files. The director runs as a daemon in the background.
  • Console: The console service is the program that allows the administrator or user to communicate with the director. Currently, the console is available in three versions: text-based console interface, QT-based interface, and a wxWidgets graphical interface. The simplest is to run the Console program in a shell window. Most system administrators will find this completely adequate. The GNOME GUI interface is not yet complete, but has most of the capabilities of the of the shell console. the third version is a vxWidgets GUI with an interactive file restore.
  • File: The file service is the software program that is installed on the machine to be backed up. The file services are also responsible for the file system dependent part of restoring the file attributes and data during a recovery operation.
  • Storage: The storage services consist of the software programs that perform the storage and recovery of the file attributes and data to the physical backup media or volumes. In other words, the storage daemon is responsible for reading and writing your tapes or other storage media.
  • Catalog: The catalog services are comprised of the software programs responsible for the maintaining the file indexes and volume databases for all files backed up. Bacula currently supports three different databases: MySQL, PostgreSQL, and SQLite.
  • Monitor: The monitor service is the program that allows the administrator or user to watch the current status of Bacula directors, file daemons, and storage daemons. Currently, only a GTK+ version is available.

If you navigate to Services -> Bacula-client, there are three tabs: “Directors“, “FileDaemon“, and “View Configuration“. The first tab, “Directors“, enables you to add directors by pressing the “plus” button on the right side. You can specify the “Director Name” and provide a description in the “Description” field. You need to supply a password at “Password“, and at the “Director type” dropdown box, you can select the director attributes. “Director” just specifies that it is a director. “Local” causes the Monitor attribute in bacula-fd.conf to be set to “yes” and the director attribute in the Messages section of bacula-fd.conf to be set to this director. Setting the director type to monitor causes the Monitor attribute to be set to “yes“, but leaves the director attribute unchanged.

On the “FileDaemon” tab, there are currently only two settings: “File Daemon port” (the default is 9102), and “Maximum Concurrent Jobs” (the default is 20). The Volume format becomes more complicated with multiple simultaneous jobs; consequently, restores may take longer if Bacula must sort through interleaved volume blocks from multiple simultaneous jobs. Thus, you should probably leave “Maximum Concurrent Jobs” set to 20 unless you have a specific reason otherwise. Finally, “View configuration” allows you to view (but not alter) the bacula-fd.conf file.


External Links:

The official Bacula web site

Bacula on Wikipedia

Useless Services

Useless services

Useless Services

Like a vestigial tail, there are often applications running on our machines that no longer serve any useful purpose. These services may be part of an earlier set of libraries that the programmers built on and never bothered to take out. This is one of the downsides of ever-increasing processing power and memory capacity. Programmers used to carefully ration every byte they used and would never allow unnecessary lines in their code. However, in this age of bloatware and gigabyte-sized operating systems, it is often easier to leave legacy services in rather than risk breaking some other program that depends on them. The incredible thing is that these services are often turned on by default. Here is a list of some of those services:

Useless Services in Linux

Services Common Port Numbers Functions
chargen 19 Sends a stream of standard characters when polled. Not only isn’t this service used anymore, but it can be used to generate a denial of service (DoS) attack by having it continually spit out character streams.
daytime 13 Returns the time of day. Not really needed of any modern system functions.
discard 9 Discards whatever is sent to it silently. Mainly used for testing purposes.
echo 7 Replies back with whatever was sent to it. Like chargen, echo can be used in DoS attacks by sending it a steady stream of data to echo.
finger 79 Much has been said about this service. [Consider, for example, the original Internet worm, released by Robert Morris in 1988, which exploited a buffer overflow bug in the finger program and propagated itself from one machine to another.] Very useful to hackers.
qotd (quote of the day) 17 Sends out a little quote or phrase that the system administrator sets up when you log in.


If you are running Windows, there are other services you will probably want to disable. Here is a partial listing of those useless services:

Useless Windows in Windows

Service Description
Remote Registry Enables viewing and changing Windows Registry from a remote computer (including hackers’ computers).
ClipBook (Windows XP only) Shares Clipboard contents over a network
Function Discovery Resource Publication (Windows Vista, 7, 8, 8.1) Publishes shared resources (printers, libraries, etc.) on this computer over a network.
Offline Files (Windows Professional/Business/Ultimate) Caches selected folders and files from file servers so that the items are always available.
SSDP Discovery Detects and publishes Simple Services, such as UPnP devices (home entertainment systems, media streaming, printers, some WiFi routers, etc).
Telnet (Windows XP only) Enables remote access to a command-line interface over a network.
WebClient Enables creating, accessing and modifying files on the Internet using Windows-based programs. This does not affect FTP, SSH, SCP or browser-based access.
Windows Media Player Network Sharing Service Enables streaming music and video to home entertainment systems and other computers/devices over a network.

If you disable at least some of these services, your system should be harder for hackers and bots to attack, and your system will be more secure.

External Links:

Remove useless services/apps at linuxquestions.org

Useless services in CentOS VDS/VPS at nixcraft.com

Turn off Unnecessary Windows Services at www.marksanborn.net

Disable Unneeded Services in Windows at www.winhelp.us

Apache Server Hardening: Part Three

Apache server hardeningIn the previous article, we discussed configuring the underlying OS and download and verifying Apache. After downloading and verifying the Apache source code, you’ll need to do some research to understand what options you want to compile into your web server. There are many modules, such as mod_access and mod_ssl, that can be added into your server to provide additional functionality and security. A full list of Apache Foundation-provided modules can be found at the Apache web site. When choosing modules, be sure you select only what you need. Compiling extra, unnecessary modules will only result in a less secure, slower web server.

You should use caution in enabling and disabling services at compile time. Before you do so, determine the dependencies of your web server code. Failure to understand what services you require to operate could result in loss of critical functionality. It might be prudent to test your configuration in a lab environment before disabling services on a production server.


Once you’ve decided which modules and configurations to use, you should accomplish one final task before building your software. Obscure the Apache version information located in the ap_release.h file located in the $[ApacheSrcDir]/include directory. To do so, use vi, gedit, or the editor of your choice and alter the following lines to change the Software Vendor (Apache Software Foundation) information:

#define AP_SERVER_BASEVENDOR “Apache Software Foundation”
#define AP_SERVER_BASEPRODUCT “Apache”

In general, you’ll need to perform three steps to compile and install your Apache Web server, as follows:

  1. From the $[ApacheSrcDir] directory, run ./configure.
  2. after configuring source, run ./make to compile the software.
  3. After compiling the software, run ./make install to install the Apache web server.

During the first step, you’ll decide what is added to the Apache server at compile time.

Add/Remove Module name Purpose
Remove Status Provides potentially dangerous information via server statistics web page
Remove Info Provides potentially dangerous configuration information
Remove Include Provudes server-side include (SSI) functionality
Remove userdir Permits users to create personal homepages in ~user home directories
Add mod_ssl Provide cryptography using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols
Add mod_log_forensic Increases granularity of logging to forensic levels
Add mod_unique_id Required for mod_log_forensic module

mod_security, a third-party Apache module available from www.modsecurity.org, provides application firewall intrusion protection and prevention. To enable mod_security, you must download and compile the software into the Apache web server. Adding mod_security increases the secure operation of your Apache web server and adds functionality including, but not limited to, the following:

  • HTTP protocol awareness
  • Anti-evasion technique prevention such as URL encoding validation and URL decoding
  • Enhanced audit logging
  • Bult-in chroot functionality
  • Buffer overflow protection
  • HTTPS filtering

We will enable mod_security in our example because it adds so many security features to our system. Once you have downloaded mod_security source from the download page of the mod_security website, perform the following steps as root:

cd $[modsecuritySrcDir]/apache2

mkdir -r $[ApacheSrcDir]/modules/security

cp mod_security.c Makefile.in config.m4 \ $[ApacheSrcDir]/modules/security

cd $[ApacheSrcDir]

./buildconf

Now mod_security appears like other Apache modules. When we compile Apache, we will enable it using the command -enable-security. There are many options to consider in configuring the Apache source code for compilation. To view a list of options, issue the command ./configure –help from the $[ApacheSrcDir] directory.

After successfully configuring the source code, proceed with running make and make install. You will see a message indicating successful completion of building and installing Apache. Now that we have successfully installed the Apache web server software, we will proceed to the next step: configuring the httpd.conf file for secure operation. We will cover that in the next article.

External Links:

The official Apache website

The official ModSecurity website

Apache Server Hardening: Part One

Apache server hardeningIn the next few articles, we will take a look at Apache server hardening. We will begin by considering OS vulnerabilities.

Apache Server Hardening: Patch the OS

Code deficiencies can exist in OSes and lead to OS and application vulnerabilities. Therefore, it is imperative that you fully patch newly deployed systems and remain current with all released functional and security patches. At regular intervals, review the published vulnerabilities at your OS manufacturer’s web site.

This table lists some popular OSes and their security sites:

Operating System Security Information Site
Oracle Solaris www.oracle.com/technetwork/server-storage/solaris11/technologies/security-422888.html
Microsoft www.microsoft.com/technet/security/default.mspx
Mac OS www.apple.com/support/security
RedHat Linux www.redhat.com/security
FreeBSD www.freebsd.org/security
OpenBSD www.openbsd.org/security.html

Because Apache is so often run on various Unix, Linux, and BSD distributions, we include patching steps here so that you can confidently deploy your Apache web server on a well-hardened foundational OS, which will facilitate Apache server hardening. In general, however, each vendor provides a full suite of tools and information designed to help you remain current of their released software updates. Become familiar with each of your vendor’s OS patching methodologies and software tools. As the security administrator, you should reserve predetermined time periods for maintenance windows during episodes of low customer activity. However, the discovery of serious OS vulnerabilities could necessitate emergency downtime while patches are applied.


Like patching, all systems used to provide services such as HTTP and HTTPS to customers should be thoroughly hardened before they are placed in a production environment. Hardening includes many steps such as the following:

  • Setting file permissions
  • Locking down accounts
  • Establishing proper OS security policies
  • Configuring host-based firewalls
  • Disabling vulnerable services

Now that we have a secure OS, it’s time to discuss how to properly and securely configure the Apache web server.

The Apache Web server is a powerful application through which you can deliver critical business functionality to customers. With this power comes the possibility of misuse and attack. To ensure that your Apache server is running securely, we have compiled a series of steps for Apache server hardening. You might also want to read additional information or review other Apache security checklist documents before deploying your Apache server. An excellent reference guide is the CIS Apache Benchmark document available at the Center for Internet Security and the NIST Apache Benchmark document available at csrc.nist.gov/checklists/repository/1043.html.

You should follow three general steps when securing the Apache web server:

  • Prepare the OS for Apache web server
  • Acquire, compile, and install the Apache web server software
  • Configure the httpd.conf file

We will cover all three of these crucial steps in future articles.

External Links:

13 Apache Web Server Security and Hardening Tips at www.tecmint.com

Apache 2.0 Hardening Guide

Apache Server Hardening & Security Guide at chandank.com

NoMachine Server Installation and Configuration

NoMachine

Installing the NoMachine server using the Debian package installer (dpkg).

In the previous article, we introduced the X Window system and discussed different X Window remote desktop options. In this article, I will cover installation of the NoMachine remote desktop server and the various server options.

To set up the NoMachine server, download and install it whatever method is appropriate for your Linux distribution. As far as I know, it is not in any of the repos. To install the NoMachine server under Linux Mint, I downloaded NoMachine for Debian Linux and used the Debian package installer to install it:

sudo dpkg -i nomachine.4.1.29.5.i386.deb

After a few minutes, the NoMachine server was installed and ready to use.Depending on the distribution you are using, the installation may be more involved. Most of the major distributions should have packages available that make the installation relatively painless.


Configuring the NoMachine Server

Once it is installed, you can launch the NoMachine server (on Linux Mint, it can be found in the Internet program group). The NoMachine server interface has two tabs: one called “Connected users” and a second for “Active transfers“. There is also a “Connections” option to toggle allowing connections. There is also a button called “Connection preferences“.

NoMachine

The Services tab under Connection Preferences in the NoMachine server interface.

In “Connection preferences”, there are six separate tabs: “Services“, “Security“, “Devices“, “Transfers“, “Performance“, and “Updates“. “Services” lists the network services running and allows you to configure the services. In this case, we are running the NX service on port 4000. There are two other options: “Start automatic services at startup“, which causes services marked as automatic to be started when the machine starts. “Advertise this computer on the network” causes NoMachine to broadcast the required information to let other computers discover it on the local network.

The next tab is “Security Preferences“. There are three options here: “Require permission to let remote users connect“, which if selected requires the local user to accept the connection before the remote user can connect to the desktop. The second is “Require permission to let the remote users interact with the desktop“, which if selected causes the users to connect in view-only mode. The third option is “Hide the NoMachine icon in system tray“; if this is selected, the NoMachine menu won’t be accessible in normal conditions, but notifications will be still displayed when somebody connects.

The “Devices” tab controls what devices are made available to the remote user. Disks, printers, USB devices, smart card readers, and network ports are selected by default. There is also an “Enable audio streaming and microphone forwarding” check box which is selected by default. The “Transfers” tab controls transfer preferences. Here you can allow or deny the uploading of files by remote users, and allow or deny the downloading of files. You can also disallow files bigger than a certain size for both uploads and downloads, and set the directory to which files are saved.

The “Performance” tab controls system performance and has four options. “Use a specific display encoding” allows the user to select from a dropdown list of encoding algorithms, including VP8, MJPEG and H264. “Request a specific framerate” allows the user to select a framerate from a dropdown list (a higher frame rate uses more processing power). “Use acceleration for display processing” uses the GPU and accelerated graphics (when available) for better performance. “Use lightweight mode in virtual sessions” causes virtual sessions to only use the X protocol compression, which may require less bandwidth and less computing resources.

The final tab is “Update“, which controls update preferences. There is an “Automatically check for updates” check box, as well as a button to check for updates immediately. This tab also includes information about the product, version number and platform.

Now that we have covered server configuration, in the next article we will cover accessing the system remotely using NoMachine.


External links:

The official NoMachine site

netfilter Operation: Part Eleven (Easy Firewall Generator and Firewall Builder)

Easy Firewall Generator

Easy Firewall Generator in action.

Easy Firewall Generator

Easy Firewall Generator is not a GUI per se, but it does help simplify your netfilter configuration and avoid the need to be familiar with the iptables syntax. By using the Web page at http://easyfwgen.morizot.net/gen/index.php, you can enter the relevant information and click the Generate Firewall button. As you select options, if additional information is needed click the Generate Firewall button and the page will refresh and provide the additional input fields. When all of the required information has been entered, the page will change to a text page that can be copied and pasted for iptables to read as a saved configuration. In Fedora, the iptables configuration is stored in /etc/sysconfig/iptables. Although this method requires you to replace the default iptables configuration file used by your distribution, it is fairly painless, and supportes all of the same basic functionality as Firestarter.


Firewall Builder

Firewall Builder is the most complete GUI offering for managing netfilter firewalls with features and capabilities comparable to some commercial firewall products. As is almost always the case, this functionality and capability come at a price: as far as netfilter GUIs are concerned, Firewall Builder is not the easiest to configure and use. If you want or need its superior management capabilities, however, the extra effort is well worth it. (Download firewall builder from www.fwbuilder.org). Firewall Builder manages netfilter firewall as well as ipfilter, OpenBSD PF, and Cisco PIX firewalls. Firewall builder runs on many popular operating systems including Red Hat, Mandrake, Suse, FreeBSD, Mac OS X, and Windows XP/Vista/7/8.

Firewall Builder

Firewall Builder 5.1 on startup under Windows.

Firewall Builder operates differently than all of the GUIs covered so far. It uses an object-based approach. Essentially, you must define an object to represent any entity that you want to use in the firewall rules. In most cases this means a source, a destination, and a service port at a minimum. Both the configuration and the GUI bear a strong resemblance so that of the Checkpoint Firewall GUI. Once the objects are defined, you can drag or drop them into the rules in order to permit or deny communications between the two.

As of this writing, the current version of Firewall Builder is 5.1. Under Windows, navigating to Start -> Programs -> Firewall Builder 5.1 -> FWBuilder, which opens the main Firewall Builder window. Firewall Builder can also easily be installed under Linux. Under Linux Mint, I was able to install Firewall Builder using the apt-get command, like so:

sudo apt-get install fwbuilder

Once fwbuilder is installed, it can be accessed by clicking on the start menu, then navigating to Internet -> Firewall Builder, which will bring up the main Firewall Builder window.

In the next article, we will cover how to configure firewall rules in Firewall Builder.]


External Links:

The official Firewall Builder website

Getting Started With Firewall Builder at howtoforge.com

© 2013 David Zientara. All rights reserved. Privacy Policy