Ubuntu Vs Debian Vs Linux Mint

2020-06-26

When I was a newcomer to Linux, I remember having the typical issue of picking a distribution. Ubuntu is the typical answer with Linux Mint coming in second. It gets confusing when you try to figure out what they do differently from each other since they're based off each other. I'll do a quick overview of how the distributions(distros) are related and the major differences between them.

Debian is the farthest upstream. Many decisions they make flow down to Ubuntu and Linux Mint. Debian Stable is the recommended branch. It is very reliable, but software only gets security updates between releases so software becomes quite dated between releases. Releases happen roughly every 2 years and 1 release is offically supported at a time.

Ubuntu builds off Debian's packaging infrastructure to create its own distro. When its time to release, Ubuntu grabs packages from Debian's Unstable branch and ensures they're in working order. It's installer is a bit prettier, but the main difference is that it makes installing non-free drivers easier with an automatic tool. It releases on a set schedule with LTS coming out every 2 years and a non LTS releasing every 6 months in between. The LTS releases are supported for 5 years. Software and kernels are updated during release. This means fairly fresh kernels are available in case you need them for new hardware.

Linux Mint builds from Ubuntu by releasing based off their LTS releases. Their Cinnamon Desktop Environment is very easy to understand and people coming from Windows and is the main reason to consider it. It contains easy to use graphical tools for package management(program installation and updates) and a desktop that has items in the same positions as Windows.

Beyond theses major differences there's often smaller changes to defaults that can make Ubuntu or Linux Mint a better choice for beginners.

You may find Linux Vs Windows Should You Switch useful if you're looking to switch from Windows.


Setting Up A WAF

2020-06-01

I regularly check my server logs for traffic and seeing what attacks are happening. My site isn't high value so they're nearly all low effort scans like checking for a Wordpress login page. As I see possible issues, I'll add a little more security. A few days ago I saw someone had found my admin login page and tried to login 30 times. I'm not really concerned someone will succeed, but it seemed like a good time to make it impossible. A reasonable limit on attempts will make any brute force attack too slow to be useful.

My requirements were to do this as far up the stack as reasonable and use FOSS. Some of the choices I looked at were django-ratelimit, mod_qos and mod_security. Django-ratelimit would be easy to setup for this, but implementing this in python so far down the stack seems like a good way to create a bottleneck. Mod_qos is an apache module that had the features I wanted and a simple rule syntax. It doesn't guarantee support for event mpm which is a deal breaker, any other worker type will have far worse performance. I ended up using mod_security which has far more features than I'll need. It's a FOSS web application firewall(WAF) implemented as an apache module with a language similar to nftables.

Inital set up of mod_security on Debian is easy, just apt install and change the recommended conf to .conf in /etc/modsecurity. This will start logging requests that get caught by the OWASP core rule set. The core rule set has a large number of rules for many common apps and situations. The rule set has restriction levels called paranoia levels from 1 to 4. The default is 1 and thats what I've left it at for now. Congratulations, your server has another layer of protection from low effort attacks.

Now on to the high value work, setting up rules for my django admin login. Setting up my own rules was not easy. I couldn't find anything resembling a quick start guide for Debian. It was unclear to me where my .conf rule file should go and be named. I started out with it in /etc/modsecurity/crs with the other rules files. It didn't work until I put it in /etc/modsecurity. I finally found out where the rules were located by investigating the apache mod directly

vi /etc/apache2/mods-enabled/security2.conf

Rules load from /etc/modsecurity/ and /usr/share/modsecurity-crs/.

The other hurdle is figuring out the syntax as there is not a guide. I ended up piecing it together using the 2.X Reference Guide and reading rules that were similar to what I wanted to do. It became clear each rule should start with SecRule and looking that up in the reference guide will give you the syntax for that command. I also found this guide for securing a wordpress login which is nearly what I wanted. I didn't want to do it by user since I could get locked out, use Locationmatch since that means having to put it on every vhost(rate limiting login pages is good general policy) and resetting the counter for successful logins seemed unnecessary. Here's what I came up with:

# Setup collection
SecAction phase:1,id:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}
# Block and track # of requests and log
SecRule ip:login_brute_force_block "@eq 1" "id:2, phase:1, deny, status:401, msg:'DOS attack from %{tx.real_ip}'"
# Add to count each time login page accessed
SecRule REQUEST_FILENAME "@beginsWith /admin/login/" "id:4, phase:1, t:none,setvar:ip.login_brute_force_counter=+1"
# Set block after 10 attempts, reset counter after 60 seconds
SecRule ip:login_brute_force_counter "@ge 10" "id:4, phase:5, t:none, setvar:'ip.login_brute_force_block',\
expirevar:'ip.login_brute_force_block=60'"

This means only 10 requests per minute will be allowed from an IP. Since I'm the only one using the interface there is no chance of being locked out and brute force attacks will take too long to be effective.


Website Switched To BuyVM

2020-05-14

Website has been moved to BuyVm using the same stack as before. There are several companies that offer the same or better specs as Digital Ocean(DO) with lower prices that I'd been considering. The last straw was not being able to login to DO without switching Firefox to less secure settings(first party isolate off and resistfingerprinting off) and switching uBlock Origin to easy mode so it could contact a ridiculous amount of random domains.

The switchover took longer than I anticipated, but I took a lot of notes so setting up Debian should go quicker next time. I also swapped the domain and dns to NameSilo since it saved me a couple bucks and made my dns independent of hosting provider. BuyVM's weird rules also slowed me down. They had to provision during normal business hours and my contact info had to match my payment info EXACTLY. The first pushed the swap to Monday and the second made me really rethink the decision, leading to a few hours wondering if should dump them and stay with DO. Luckily, setting up the VM was about the same as DO except I had to do the inital ssh key setup myself. Curiously, they had an outdated Debian image for install just like DO. The second step was apt upgrade and a restart.

After the switch I save $1.5 a month, have unlimited bandwidth and lose 5GBs of storage. This puts me in a good position to try and run more services through my website.


Linux Vs Windows Should You Switch

2020-03-25

As Microsoft has continued pushing updates on users, people have started looking for an alternative. With that in mind, I'd like to highlight the differences between Windows and Linux and if you should switch to Linux.

The first difference you'll notice is choice. There's many different options that you can choose from to run Linux, called distributions. Linux is just the core that an operating system(OS) is built around. The second is that software is typically installed directly from the distribution. This ensures integration in the system, libraries(backend programs that your programs run) get updated and you don't have duplicate programs or libraries installed. Drivers come with Linux so if you have a computer, printer etc. that says it works with Linux, it'll work. No tracking down drivers and your drivers arent made obsolete when the OS is upgraded! The OS is completely controlled by you, upgrades only happen when YOU tell them to. Most upgrades don't require a reboot.

Should you switch? If Linux supports the hardware and software you need, absolutely. Desktops, business laptops and servers are supported. Consumer laptops, 2in1s, all-in-one printers and brand new components like the latest graphics card may need special attention. Most of these will still work, but you may lose features like wireless networking, fingerprint scanner or touchpad. The most direct way to find out what works is putting Ubuntu on a thumbdrive and booting from that. That's right, you can try out Linux without touching your current setup, for free. If you're less adventurous, do a web search for Linux "make model". There should be some useful results. If not, distribution wikis are a good resource to check: Arch Wiki, Ubunutu Wiki. Assuming your hardware is compatible, it's time to check software.

First off, all software that runs in a browser will work. There's a good amount of software that won't run on Linux, but there's typically good equivalents. Microsoft Office won't work, but Libreoffice can handle the same items. It runs on Windows too so you can try it out before switching, for free. Microsoft Outlook won't work, but there's Kontact, Evolution or Thunderbird. A good amount of these programs will run on Windows so you can try them out to make sure they'll fill your needs. For the best experience, don't try to use Windows software or file formats from Windows programs on Linux. Windows and some Windows only programs use several techniques to create vendor lock-in and the best way to avoid frustration is to completely drop them and switch to Linux/Linux native programs all at once.

By now you should have a good start to planning your migration. If you run into issues during your switch to Linux look up your local linux user group(LUG), forums for your distribution or me.


Use Python For Your Excel Macros

2020-03-23

Almost everyone has (ab)used excel as a data processing tool.Excel is used since its ubiquitous and easy to get started with. Once, you start doing really interesting things, you'll end up with equations ready to break at the slightest change or spanning many sheets. The industrious have even learned Visual Basic to take it further or try to wrangle it to a sense of sanity. In the end you're not using the right tool for the job.

Excel can still be used as the frontend, but the heavy lifting should be done with Python. It's easier to write and read with support for tons of packages that make it more useful and maintainable long term. You can even ditch Excel for Libreoffice(which has native support for Python macros), a standalone desktop gui or web gui in the long run. Let's take a look at how using python would work.

You'll need to install the xlwings package using pip or conda and add xlwings to Excel. The easiet way to get started is opening a command prompt and type xlwings quickstart myproject. Then import it in your python file.

import xlwings as xw

Next you connect to the book: wb = xw.Book.caller() Now you can start grabbing data from the file using its cell position or cell name if you given it one:

x = xw.range('C1').value  
y = xw.range('name').value

Naming cells is good practice to make the sheet more robust. The name will follow the cell if it's moved, allowing the sheet to be rearranged without breaking the macro. The data is now available to Python allowing you to do pretty much anything. Database access for postgres, mysql/mariadb, sqlite etc. is easy using their respective drivers.

 conn = sqlite3.connect('E:\\WinPython-64bit-3.4.3.5\\notebooks\\CraneCapacityLookUp\\crane.db')
    c = conn.cursor()
    if xw.Range('Boom_Config').value == 'SF' or xw.Range('Boom_Config').value == 'SA':  
        c.execute("SELECT Capacity FROM {} WHERE BoomType == ?1 and Counterweight == ?2 and Outrigger == ?3 and BoomLen == ?4 and BoomAngle is Null and JibLen == ?6 and JibAngle == ?7 and Radius >= ?8".format(crane), dbin)
    elif xw.Range('Boom_Config').value == 'SH':
        c.execute("SELECT Capacity FROM {} WHERE BoomType == ?1 and Counterweight == ?2 and Outrigger == ?3 and BoomLen == ?4 and BoomAngle is Null and JibLen is Null and JibAngle is Null and Radius >= ?8".format(crane), dbin)
    Capacity = c.fetchone()

The data is then written back to Excel by doing the opposite of what we did grabbing the data:

xw.Range((row,colCap)).value = Capacity

The user would run the script by clicking the Run button in the xlwings tab on the ribbon. You get all advantages of a macro without having to use Visual Basic.