#Buzzing ...

Sunday, July 30, 2017

Update (Offline) Ubuntu 16.04 Kernal to Latest Version

July 30, 2017 / by Kushan Sharma / with No comments /

Recently I was experiencing Wifi connectivity issue on my Ubuntu 16.04. It was running on Ubuntu 16.04 kernal version 4.4.0.x. Even though #lspci command output showed the presence of WiFi Network card, it was not detected by the Ubuntu Network Manager. After couple of trial and error attempts, I decided to upgrade the Ubuntu Kernal to a latest stable version. However due to not having Internet connectivity, I decided to do it offline. Below are the steps I followed.

To detect the presence of Wifi hardware, I used #lspci command. lspci is s utility for displaying information about PCI buses in the system and devices connected to them.

#lspci
..........
01:00.0 Network controller: Intel Corporation Wireless 3165 (rev 79)
..........

In order to start with offline kernal upgrade, first the required kernel version needs to be downloaded. It can be downloaded from Ubuntu website. To see what kernel versions are available for installations type this into your browser address bar:

http://kernel.ubuntu.com/~kernel-ppa/mainline/

After deciding the kernel version 4.10.0 to be installed, I downloaded the below listed .deb packages. I didn't want "low latency" just "generic" plus "all".

http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.10/linux-headers-4.10.0-041000_4.10.0-041000.201702191831_all.deb
http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.10/linux-headers-4.10.0-041000-generic_4.10.0-041000.201702191831_amd64.deb
http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.10/linux-image-4.10.0-041000-generic_4.10.0-041000.201702191831_amd64.deb

I wanted to install the 64bit edition. Therefore I downloaded above three packages. Depending on your requirement, you may also need to download three packages (two header packages and one image package).

Given that you have the internet connectivity, you can download them using #wget utility.
cd /tmp
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.10/linux-headers-4.10.0-041000_4.10.0-041000.201702191831_all.deb
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.10/linux-headers-4.10.0-041000-generic_4.10.0-041000.201702191831_amd64.deb
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.10/linux-image-4.10.0-041000-generic_4.10.0-041000.201702191831_amd64.deb

After downloading the above three packages. I entered the below command to installed them. You need to be inside the folder which contain above three *.deb packages..
#sudo dpkg -i *.deb

Upon completion of the installtion process. I updated the Grub using below command.
#sudo update grub

Remember manually installed Kernels like I've just done, are not automatically deleted by Ubuntu. Ubuntu automatically deletes older kernel versions it installs only keeping the current version and the version previous to it. Therefore monitor the size of your /boot directory and periodically remove kernels you manually installed and no longer need. Don't use rm (remove) command, follow instructions found using google.

In addition to the above method, if you have the internet connectivity, Using Ukuu (which stands for ‘Ubuntu Kernel Update Utility’) is another way to do it. This straightforward desktop app help you install a new kernel in Ubuntu, Linux Mint, and other Ubuntu-based distributions, using the “mainline” kernels published by Canonical.

Ransomware Worm Attack - WannaCry

May 13, 2017 / by Kushan Sharma / with No comments /

Ransomware attacks dubbed as “WannaCry” started to spread around the world on the 12th May 2017. In these attacks, data is encrypted with the extension “.WCRY” added to the file names. According to the reports, this attack initiated through an SMBv2 remote code execution vulnerability in Microsoft Windows code-named “EternalBlue”. The exploit “EternalBlue” has been made available on the internet through the Shadowbrokers dump on 14th April 2017.

Microsoft released security patch updates for this vulnerability on 14th March 2017 in Microsoft Security Bulletin MS17-010.

Affected Versions

Windows Vista (all editions)
Windows Server 2008 (all editions)
Windows 7 (all editions)
Windows Server 2008 R2 (all editions)
Windows 8.1 (all editions)
Windows RT 8.1 (all editions)
Windows Server 2012 and Windows Server 2012 R2 (all editions)
Windows 10 (all editions)
Windows Server 2016 (all editions)
Some of the obsolete Microsoft Operating Systems are also vulnerable (Patches available through Microsoft Custom Support)

Recommended Course of Action

MS-ISAC issued an advisory addressing the remote code execution vulnerabilities in SMB server that is currently being used to propagate the WannaCry ransomware. Vulnerable Operating Systems should be updated with relevant security patches (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).
Microsoft has released a patch for obsolete operating system versions also. Please refer the URL http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598.
If patching is not possible, make a business decision to disable SMB.
Make sure that you are running proper up-to-date anti-virus software.
Security devices such IDS/IPS, SIEMS, Firewalls should also be tuned to block suspicious inbound and outbound network traffic.

Additional Recommendation for Counter Ransomware Attacks

TechCERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.
Do not follow unsolicited Web links in emails. Refer to the Security Tip on Avoiding Social Engineering and Phishing Attacks or the Security Publication on Ransomware for more information.

More Information

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Huawei e3372 Modem not working with Ubuntu 16.04 LTS

May 04, 2016 / by Kushan Sharma / with 1 comment /

I was experiencing an issue with connecting my Mobile Broad band modem. I was using Ubuntu 16.04 LTS and Huawei e3372 Modem. To fix this issue. I followed the procedure listed below.

In order to detect the available USB devices, the below command was used.
$lsusb

This will give you the below output.
Bus 001 Device 002: ID 0483:91d1 STMicroelectronics Sensor Hub
......
......
Bus 001 Device 010: ID 12d1:1506 Huawei Technologies Co., Ltd. Modem/Networkcard

Above entry pertaining to Huawei modem specifies the Vendor ID and the Product ID which is required to create usb modeswitch rules. According to this output:
Vendor ID: 12d1
Product ID: 1506

In order to add a usb modeswitch rule, I followed below listed steps. Modeswitch rules should be added to the file "40-usb_modeswitch.rules" located in "/lib/udev/rules.d/". This file was opened using VI editor for modifications.
# sudo vi /lib/udev/rules.d/40-usb_modeswitch.rules

Then I added the following lines. Product ID and the Vendor ID was captured using the output of the command "lsusb":
# Huawei E3272
ATTR{idVendor}=="12d1", ATTR{idProduct}=="157c", RUN +="usb_modeswitch '%b/%k'"

Finally I reinserted the modem and tested the connection. There will be no message or confirmation, but the connection will appear in your panel as it would if you would insert an ethernet cable.

If you are not getting the result as expected above, try to restart your laptop and try again by reconnecting the modem.

Securing Ubuntu 16.04 LTS: Disable Guest Account

April 25, 2016 / by Kushan Sharma / with No comments /

Disable Guest Account in Ubuntu 16.04 LTS

LightDM configuration files are located in /usr/share/lightdm and /etc/lightdm. Disabling Guest account can be easily done by adding a rule into one of the two directories. And below I made a change in /etc/lightdm:

First I created a folder inside lightdm using the command
# sudo mkdir /etc/lightdm/lightdm.conf.d

Secondly I changed the working directory by entering the command
# cd lightdm.conf.d

Thirdly I created a file called '50-no-guest.conf' inside the above directory and add below two lines to the newly created file.
To create the file:
# sudo vi 50-no-guest.conf

Then add below entries to the file
[SeatDefaults]
allow-guest=false

This can be done by the command in a single step.
# sudo sh -c 'printf "[SeatDefaults]\nallow-guest=false\n" > /etc/lightdm/lightdm.conf.d/50-no-guest.conf'

In order to reenable the Guest account, you may use the command.
# sudo rm /etc/lightdm/lightdm.conf.d/50-no-guest.conf

Creating Encrypted Private/Separate Partition on Ubuntu 16.04 LTS

April 22, 2016 / by Kushan Sharma / with No comments /

I wanted to convert an already configured partition to an encrypted partition. As the encryption utility, "cryptsetup" was used.

Since mine was a fresh installation, I was not worrying about loosing data on my Laptop. However if you are planning to do the same, please make sure to backup all the data before start conversion.

Below command shows you the details of available disks.
#fdisk -l

Device         Start       End   Sectors Size Type
/dev/sda1       2048    923647    921600 450M Windows recovery environment
/dev/sda2     923648   1128447    204800 100M EFI System
.......
.......
/dev/sda6 567171072 582795263 15624192 7.5G Linux swap
/dev/sda7 582795264 781459455 198664192 94.7G Linux filesystem
/dev/sda8 781459456 976771071 195311616 93.1G Linux filesystem

Using the below command also shows you the details of partitioned disk.
# df -h

Filesystem      Size Used Avail Use% Mounted on
udev            3.9G     0 3.9G   0% /dev
tmpfs           788M 9.6M 778M   2% /run
/dev/sda7        94G 4.1G   85G   5% /
...........
.........../dev/sda8      92G   60M   87G   1% /CERT

I wanted to convert /dev/sda8 partition to an encrypted partition. In oder to view the integration of /dev/sda8 disk, fstab file details. The fstab (/etc/fstab) (or file systems table) file is a system configuration file on Debian systems. The fstab file typically lists all available disks and disk partitions, and indicates how they are to be initialized or otherwise integrated into the overall system's file system. This conf file can be read using the command:
#cat /etc/fstab
# cat /etc/fstab
# /etc/fstab: static file system information.
#
#
# / was on /dev/sda7 during installation
UUID=61050990-a94f-4629-81cb-14722123d668 /               ext4    errors=remount-ro 0       1
# /CERT was on /dev/sda8 during installation
UUID=424bae11-5e73-44e8-9ccd-d1eb3ef44f82 /CERT           ext4    defaults        0       2
# /boot/efi was on /dev/sda2 during installation
UUID=E413-CC25 /boot/efi       vfat    umask=0077      0       1
# swap was on /dev/sda6 during installation
UUID=1dd43a59-2bc7-49ce-b7b3-964ec836620f none            swap    sw              0       0

To encrypt the partition, I used the Disk Utility, which comes with Ubuntu 16.04. The below steps show the process of encrypting a partition.

Below figure shows the file system before the encryption.

Below figure shows the way of encrypting the partition. At this stage you need to enter a strong passphrase which complies with password security configuration best practices.

Below figure shows the file system configuration once the encryption is finished.

Finally I rebooted the system to check possible errors. After rebooting the OS, I manually mounted the encrypted partition.Below image shows a snap of manual mounting process. Passphrase needs to be entered here.

Errors encountered during the process of setting up an encrypted partition.

If you don't have already installed version of "cryptsetup". You will get the below error message when you try to create the encrypted partition.

Opz. I got the above error message and I installed cryptsetup using the below command and restarted the above encryption process.
#sudo apt-get install cryptsetup

If you forgot to comment/delete the existing entry pertaining to /dev/sda8 in /etc/fstab, you will encounter an error message during reboot. Unfortunately I was experiencing the same error. :(

I was ended up with a error message saying that:
"A start job is running for dev-disk-by\x....................device. "

After waiting up to 90 seconds, I found myself in emergency mode.

I order to trouble shoot, I ran the below steps.
To view the active and inactive disk units, I used the below command.
#systemctl --full -a |grep x2duuid

When listing units, "-a" show all loaded units, regardless of their state, including inactive units. With the filter to show only "x2duuid", active and inactive disks could be viewed. The received output is:

The above output shows that the partition with the UUID 424bae11-5e73-44e8-9ccd-d1eb3ef44f82 is inactive. This is the the encrypted partition.

I commented the entry pertaining to above partition from fstab as show below.

# cat /etc/fstab
# /etc/fstab: static file system information.
#
#
# / was on /dev/sda7 during installation
UUID=61050990-a94f-4629-81cb-14722123d668 /               ext4    errors=remount-ro 0       1
# /CERT was on /dev/sda8 during installation
#UUID=424bae11-5e73-44e8-9ccd-d1eb3ef44f82 /CERT           ext4    defaults        0       2
# /boot/efi was on /dev/sda2 during installation
As the final step I rebooted my system and fortunately It worked for me.

After OS is booted up, you can manually mount the encrypted partition by double clicking in file explorer.

Install Oracle VirtualBox 5.0.18 on Ubuntu 16.04 ("Xenial") Desktop AMD64

April 22, 2016 / by Kushan Sharma / with 4 comments /

I was trying to install Oracle VirtualBox 5.0.18 on my newly installed Ubuntu 16.04 ("Xenial") Desktop AMD64.

VirtualBox 5.0.18 for Ubuntu 16.04 Desktop AMD64 edition can be downloaded from: http://download.virtualbox.org/virtualbox/5.0.18/virtualbox-5.0_5.0.18-106667~Ubuntu~xenial_amd64.deb

Once it is downloaded I entered the below command to install it.
#sudo dpkg -i virtualbox-5.0_5.0.18-106667~Ubuntu~xenial_amd64.deb

However I was getting the dependency errors listed below.
dpkg: dependency problems prevent configuration of virtualbox-5.0:
virtualbox-5.0 depends on libqt4-opengl (>= 4:4.7.2); however:
Package libqt4-opengl is not installed.

dpkg: error processing package virtualbox-5.0 (--install):
dependency problems - leaving unconfigured
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for systemd (229-4ubuntu4) ...
Processing triggers for hicolor-icon-theme (0.15-0ubuntu1) ...
Processing triggers for shared-mime-info (1.5-2) ...
Processing triggers for gnome-menus (3.13.3-6ubuntu3) ...
Processing triggers for desktop-file-utils (0.22-1ubuntu5) ...
Processing triggers for bamfdaemon (0.5.3~bzr0+16.04.20160415-0ubuntu1) ...
Rebuilding /usr/share/applications/bamf-2.index...
Processing triggers for mime-support (3.59ubuntu1) ...
Errors were encountered while processing:
virtualbox-5.0

I assume that you might have also encounted the same error while you are trying to install VirtualBox on Ubuntu 16.04.

To resolve the above error. I tried the below list of commands. Firstly I checked for latest updates using:
#sudo apt-get update

Then installed the missing packages using the command:
#sudo apt-get install libqt4-opengl

At this stage you may try the below command instead of individually installing missing packages.
#sudo apt-get -f install

This will fix the previously encountered error and recompile the VirtualBox and you will get the below output in your terminal.
Setting up virtualbox-5.0 (5.0.18-106667~Ubuntu~xenial) ...
Adding group `vboxusers' (GID 129) ...
Done.
Stopping VirtualBox kernel modules ...done.
Recompiling VirtualBox kernel modules

...done.
Starting VirtualBox kernel modules ...failed!
(modprobe vboxdrv failed. Please use 'dmesg' to find out why)
Processing triggers for libc-bin (2.23-0ubuntu3) ...

Verify Package Integrity Using RPM

April 20, 2016 / by Kushan Sharma / with No comments /

RPM is a great utility used to install, upgrade and verify software packages on your Red Hat system. It's the verify feature that we are most interested in as this can be used to check our files and make sure they have not been modified or replaced.

I was trying to check the package integrity using RPM. Unfortunately I was having hard time to read the output.

For example, how should I interpret the output.?

S.5....T.    /etc/init/serial.conf
.M.......    /usr/lib
.M....G..    /usr/sbin/cvuqdisk
missing     /lib/modules/2.6.32-300.25.1.el6uek.x86_64/extra

Herewith I'm sharing a way of interpreting the output of the command.
# rpm -qVa | awk '$2 != "c" {print $0}'

To explain the switches of the above command. The first is the "-V" switch which allows you to check the integrity of all files associated with a specific package. The output we receive may look like the above published output.

The only files that get listed are the files that fail the verification. Any files that are not listed are assumed to be OK. On the left of this output we have the reason why this particular file failed the verify check. A legend of the results would be as followed:

S = size change
M = permissions change
5 = MD5 changed
L = Symlink changed
D = Device change
U = User change
G = Group change
T = Date/Time change
missing = file is gone

When reviewing RPM's output, keep an eye out for very strange entries like a change in the MD5 value but the date/time stamp and/or file size is reported as being the same. This could be caused by an attacker who has modified or replaced files but is trying to cover their tracks. But for other files we need to check carefully to see whether the integrity has been compromised or not.

In order to analyze the results for example, in the above output, it says the file has been modified. But for configuration files this is common and it needs to be modified to suit the requirement. But we should ensure that it has been modified correctly and they are legitimate.