OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. Here are a few things you need to tweak in order to improve OpenSSH server security.

Default Config Files and SSH Port

• /etc/ssh/sshd_config - OpenSSH server configuration file.
• /etc/ssh/ssh_config - OpenSSH client configuration file.
• ~/.ssh/ - Users ssh configuration directory.
• ~/.ssh/authorized_keys or ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user’s account
• /etc/nologin - If this file exists, sshd refuses to let anyone except root log in.
• /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
• SSH default port : TCP 22

#1: Disable OpenSSH Server

Workstations and laptop can work without OpenSSH server. If you need not to provide the remote login and file transfer capabilities of SSH, disable and remove the SSHD server. CentOS / RHEL / Fedora Linux user can disable and remove openssh-server with yum command:
# chkconfig sshd off
# yum erase openssh-server
Debian / Ubuntu Linux user can disable and remove the same with apt-get command:
# apt-get remove openssh-server
You may need to update your iptables script to remove ssh exception rule. Under CentOS / RHEL / Fedora edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Once done restart iptables service:
# service iptables restart
# service ip6tables restart

#2: Only Use SSH Protocol 2

SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:

Protocol 2

#3: Limit Users' SSH Access

By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn't in AllowUsers.

Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:

AllowUsers root vivek jerry

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers saroj anjali foo

You can also configure Linux PAM allows or deny login via the sshd server. You can allow list of group name to access or deny access to the ssh.

#4: Configure Idle Log Out Timeout Interval

User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:

ClientAliveInterval 300
ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out). See how to automatically log BASH / TCSH / SSH users out after a period of inactivity for more details.

#5: Disable .rhosts Files

Don't read the user's ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:

IgnoreRhosts yes

SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.

#6: Disable Host-Based Authentication

To disable host-based authentication, update sshd_config with the following option:

HostbasedAuthentication no

#7: Disable root Login via SSH

There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:

PermitRootLogin no

However, bob made excellent point:

Saying "don't login as root" is horseshit. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You'd get your password spoofed but not root's pw. Gimme a break. this is 2005 - We have ssh, used properly it's secure. used improperly none of this 1989 will make a damn bit of difference. -Bob

#8: Enable a Warning Banner

Set a warning banner by updating sshd_config with the following line:

Banner /etc/issue

Sample /etc/issue file:

----------------------------------------------------------------------------------------------
You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:

+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),
law enforcement (LE), and counterintelligence (CI) investigations.

+ At any time, the XYZG may inspect and seize data stored on this IS.

+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,
interception, and search, and may be disclosed or used for any XYZG authorized purpose.

+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests--not
for your personal benefit or privacy.

+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching
or monitoring of the content of privileged communications, or work product, related to personal representation
or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
----------------------------------------------------------------------------------------------

Above is standard sample, consult your legal team for exact user agreement and legal notice details.

#8: Firewall SSH Port # 22

You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.

Netfilter (Iptables) Configuration

Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT

If you've dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:

 -A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT

Replace ipv6network::/ipv6mask with actual IPv6 ranges.

*BSD PF Firewall Configuration

If you are using PF firewall update /etc/pf.conf as follows:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

#9: Change SSH Port and Limit IP Binding

By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:

Port 300
ListenAddress 192.168.1.5
ListenAddress 202.54.1.5

A better approach to use proactive approaches scripts such as fail2ban or denyhosts (see below).

#10: Use Strong SSH Passwords and Passphrase

It cannot be stressed enough how important it is to use strong user passwords and passphrase for your keys. Brute force attack works because you use dictionary based passwords. You can force users to avoid passwords against a dictionary attack and use john the ripper tool to find out existing weak passwords. Here is a sample random password generator (put in your ~/.bashrc):

genpasswd() {
 local l=$1
       [ "$l" == "" ] && l=20
      tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${l} | xargs
}

Run it:
genpasswd 16
Output:

uw8CnDVMwC6vOKgW

#11: Use Public Key Based Authentication

Use public/private key pair with password protection for the private key. See how to use RSA and DSA key based authentication. Never ever use passphrase free key (passphrase key less) login.

#12: Use Keychain Based Authentication

keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use keychain software.

#13: Chroot SSHD (Lock Down Users To Their Home Directories)

By default users are allowed to browse the server directories such as /etc/, /bin and so on. You can protect ssh, using os based chroot or use special tools such as rssh. With the release of OpenSSH 4.8p1 or 4.9p1, you no longer have to rely on third-party hacks such as rssh or complicated chroot(1) setups to lock users to their home directories. See this blog post about new ChrootDirectory directive to lock down users to their home directories.

#14: Use TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 :

sshd : 192.168.1.2 172.16.23.12 

See this FAQ about setting and using TCP wrappers under Linux / Mac OS X and UNIX like operating systems.

#15: Disable Empty Passwords

You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:

PermitEmptyPasswords no

#16: Thwart SSH Crackers (Brute Force Attack)

Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:

• DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
• Fail2ban is a similar program that prevents brute force attacks against SSH.
• security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf.
• security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw.
• security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter.
• security/sshblock block abusive SSH login attempts.
• security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
• BlockHosts Automatic blocking of abusive IP hosts.
• Blacklist Get rid of those bruteforce attempts.
• Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.
• IPQ BDB filter May be considered as a fail2ban lite.

#17: Rate-limit Incoming Port # 22 Connections

Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.

Iptables Example

The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:

#!/bin/bash
inet_if=eth1
ssh_port=22
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --set
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --update --seconds 60 --hitcount 5 -j DROP
 

Call above script from your iptables scripts. Another config option:

$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
# another one line example
# $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 5-j ACCEPT

See iptables man page for more details.

*BSD PF Example

The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.

sshd_server_ip="202.54.1.5"
table  persist
block in quick from 
pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload  flush)

#18: Use Port Knocking

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:

$IPT -N stage1
$IPT -A stage1 -m recent --remove --name knock
$IPT -A stage1 -p tcp --dport 3456 -m recent --set --name knock2

$IPT -N stage2
$IPT -A stage2 -m recent --remove --name knock2
$IPT -A stage2 -p tcp --dport 2345 -m recent --set --name heaven

$IPT -N door
$IPT -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2
$IPT -A door -m recent --rcheck --seconds 5 --name knock -j stage1
$IPT -A door -p tcp --dport 1234 -m recent --set --name knock

$IPT -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name heaven -j ACCEPT
$IPT -A INPUT -p tcp --syn -j doo

• fwknop is an implementation that combines port knocking and passive OS fingerprinting.
• Multiple-port knocking Netfilter/IPtables only implementation.

#19: Use Log Analyzer

Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:

LogLevel INFO

#20: Patch OpenSSH and Operating Systems

It is recommended that you use tools such as yum, apt-get, freebsd-update and others to keep systems up to date with the latest security patches.

Other Options

To hide openssh version, you need to update source code and compile openssh again. Make sure following options are enabled in sshd_config:

#  Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on  reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
#  Specifies whether password authentication is allowed.  The default is yes.
PasswordAuthentication no

Verify your sshd_config file before restarting / reloading changes:
# /usr/sbin/sshd -t

Tighter SSH security with two-factor or three-factor (or more) authentication.

So this weekend Jillian and I started pulling the weeds from our back yard. I tell you that is no easy task! After pulling all the weeds, going to spread some Weed Feed Killer all over the yard. Sprayed some Round UP, hope that helps too. Hopefully getting some grass, after this drought that we are in.

We shall see!

Jeff-

San Antonio is becoming the hub for national cyber security

08:13 AM CDT on Thursday, July 23, 2009

Karen Grace / KENS 5

San Antonio is becoming the hub for national cyber security. A new report reveals there are not enough trained people to fight attacks.

Video

July 23rd, 2009

One San Antonio company is fighting against cybercrime. KENS 5's Karen Grace reports.

>More News video

• View larger
• E-mail clip
• More video

Search Video:

> > >

The government is vulnerable to hackers and cyber criminals who could scramble the financial world and threaten national security.

EADS North America is based in San Antonio, and they say they're the brains behind our nation's best weapon against cybercrimes.

"We provide simulators that train people how to secure a network," said Eric Franey, director of product management and marketing for EADS North America Defense.

That type of traning is desperately needed, according to a report out today that says the federal government is at risk of being unable to fight off terrorist and foreign government attacks on the nation's computer networks.

"The report card that came out today said we dont have enough experts to adequately protect our computer systems," Franey said. "I can tell you there are thouands of attacks a week."

And while you may think this type of espionage doesn't hit home, the experts say think again.

"Cybersecurity is serous for everyone at this point," Franey said. "State and local governments are being attacked."

The company will also work closely with the 24th Air force, a cyber command headquarters that is also coming to San Antonio next year.

Virtual Apollo Computer for developers

Posted by: Siobhan Chapman ShareThis

---

The software that helped take humans to the moon has been released to the developer open source community to commemorate the fortieth anniversary of the Apollo 11 mission.

The Apollo 11 program was made up of two different spacecraft, the Command Module (CM), used to get the three astronauts to the moon and back, and the Lunar Module (LM), used to land two of the astronauts on the moon.

An on-board Apollo guidance computer (AGC) was the principal computer for all Apollo missions. On any Apollo mission, there were two AGCs, one for the Command Module, and one for the Lunar Module, but they ran different software because the tasks the spacecraft had to perform were different. "Software" was also different to today, and was effectively built using paper-tape rolls and thick cardstock that was punched with special holes.

Developers of the Virtual AGC and AGS project scanned and transcribed the hard-copy scanned images of the code from both spaceships from the MIT Museum, to create an open source-based emulator of the Apollo Guidance Computer. The resulting Virtual AGC software public domain executable code is designed to work in Linux, in Windows XP, and in Mac OS X 10.3 or later.

The team behind the Virtual AGC project have said the emulator is not a flight simulator, but an accurate recreation of the functionality of the computers which were installed in the Apollo vehicles. But the code can be used as a component for other developers to create a flight simulator, if they so wish.

Pidgin is a multi-featured instant messaging desktop client that is very popular among Linux users. It supports a wide range of chat networks like Yahoo!, AIM, Google Talk, ICQ, and IRC. You can even send and receive SMS (Text Messages) for free via Pidgin. So if it can do all these, does it support everybody's favorite micro-blogging platform Twitter?

--Yes it does. Thanks to a plugin called microblog-purple you will now be able to send and receive tweets via Pidgin.

For Ubuntu users, here's a simple tutorial on installing this Twitter plugin on Pidgin:

1. Depending on your Ubuntu version, add these software repositories:

deb http://ppa.launchpad.net/sugree/ppa/ubuntu hardy main deb-src http://ppa.launchpad.net/sugree/ppa/ubuntu hardy main

or

deb http://ppa.launchpad.net/sugree/ppa/ubuntu intrepid main deb-src http://ppa.launchpad.net/sugree/ppa/ubuntu intrepid main

or

deb http://ppa.launchpad.net/sugree/ppa/ubuntu jaunty main deb-src http://ppa.launchpad.net/sugree/ppa/ubuntu jaunty main



After adding the above repositories, close the Synaptic Package Manager.

2. Open a terminal and type this command in order to import the key:

sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0CF459B8DF37ED8B

Then:

sudo apt-get update

3. Install the microblog-purple plugin with this command:

sudo apt-get install pidgin-microblog



5. We can now add Twitter from the list of protocols. To do this, simply open the "Manage Accounts" window, add an account, and select TwitterIM from the "Protocol" drop-down menu:


6. Proceed by providing your Twitter username and password:


7. You can now start tweeting via Pidgin!


Note that you can also use these commands inside the Pidgin Twitter window:

/replies - get all replies to you
/refresh - get new tweets instantly
/tag, /btag, /untag - automatically tag all your message

Enjoy!

Have you ever felt like you were being ignored? Have you ever felt like you were talking but no one was listening? Well, that's how it feels when your e-mail system is broken and you don't know it.

During the past week, I've had a couple system problems that prevented people from receiving e-mail messages that my wife or I sent. The sad part was that we didn't know the messages weren't being delivered. We'd receive a message asking a question, and we'd reply to the sender thinking nothing of it. A few days later, we'd get a phone call from the person asking whether we ever were going to respond.

In our case, two situations were conspiring against us: a change in Comcast's firewall policy and a change in Yahoo's mail delivery policy.

It all began when my wife started complaining that something was wrong with the e-mail system because she'd not heard back from a friend whom she had sent a message the previous day. I sent a quick e-mail to a friend of mine, got a response, and informed my wife that “it worked for me,” and chalked it up to her friend not being responsive.

Then, just to demonstrate to her that the mail server was healthy, I asked the server to print out its mail queue. Crap! There were 55 messages in the queue waiting to be delivered. Of course, by this time, even I had noticed that the volume of incoming spam had gone down to none. So, Houston, we had a problem.

After several years of running my own mail server on my home machine connected to the Internet via Comcast, Comcast decided to implement a new firewall policy and started blocking incoming SMTP (tcp/25) connections on its residential users' networks. Of course, I wasn't informed of the change, because I don't use Comcast's e-mail system! Previously, we would send e-mail from our workstations, and our mail server would forward the message through Comcast's smarthost; incoming messages came directly to our server. This configuration had worked for years. But, with the new firewall policy, something broke. Some of our messages were being delivered, and some weren't. I'm speculating that the ones not delivered were going through servers that did sending address verification, and as they couldn't connect back to my mail server to validate my e-mail address, they refused delivery.

So, I decided to take the inexpensive way out. I could have spent an extra $20 a month and gotten a business account with Comcast, which I eventually did, but I didn't at first. I created a VPN tunnel from my home machine to one of my servers on the open Internet. Then, I moved my DNS pointers to point to that machine and had it forward incoming messages through the VPN. I configured my home server to use that machine as its smarthost rather than Comcast's server. Aside from the blatant violation of Comcast's Acceptable Use Policy, this seemed like it would work pretty well.

Then, the other shoe dropped.

My wife and I quickly realized that this was working much better, but it still wasn't quite right. People my wife emailed on a daily basis weren't receiving her messages. The common denominator was that all of these people were using Yahoo e-mail accounts. So, I manually forced delivery of one e-mail messages and saw that Yahoo was deferring delivery due to questionable traffic patterns. And, that made sense; I was trying to deliver 55 deferred messages, probably all at once.

It's important to note that I monitor my e-mail server, and the Exim daemon never sent an alarm, so merely monitoring a service isn't enough. Instead of monitoring the service itself, it's better to monitor the server's function, which is what the rest of this article is about.

I was hesitant to write another article on Nagios, but e-mail is becoming more and more critical, and when it does break, it breaks in strange ways.

Of course, I monitor my Exim daemon as well as my server's route to the Internet. I use a Nagios service check for SMTP, like this:

define service {
       use generic-service
       name                    smtp
       host_name               host.example.com
       notification_options    w,c,r
       service_description     E-Mail SMTP Server
       check_command           check_smtp
}

I use a similar check to monitor my Internet gateway. But, as bad as the e-mail situation became, neither of these alarms would have indicated a problem. So, rather than monitoring to see whether a process is running, I set out to begin monitoring the server's critical functions, e-mail transport and delivery.

The first problem I wanted to address was being informed when messages were stuck in Exim's mail queue. I actually thought I'd have to write a custom program to check for this situation. While researching the situation further, I came across a posting from someone with a similar problem. It turns out that Nagios already has a command that performs this check, and I never knew it. Nagios's check commands are in /usr/nagios/libexec/, and let me tell you, there is a lot of gold in that directory.

So, I created an entry in Nagios's checkcommands.cfg file, like this:

define command{
       command_name    check_mailq
       command_line    $USER1$/check_mailq -w 3 -c 5 -v 9
}

Then, I created an entry in the services.cfg file that looked like this:

define service {
       use generic-service
       name                    mailq
       host_name               dominion
       notification_options    w,c,r
       service_description     SMTP Mail Queue
       check_command           check_mailq
}

Finally, I restarted Nagios and tested the new configuration by shutting down my server's outside network interface and attempting to send an e-mail message. Obviously, the mail transport operation failed and I got my alarm.

So at this point, I am pretty sure that if I have another problem with my e-mail system, at least I'll know it in a timely fashion. But, I thought it would be good to put in one more check.

It would be nice to know if my server ever finds itself on a Real-time Blocking List (RBL). Once again, Nagios has a command to check for this situation, but it comes in C source, which I couldn't get to compile. Anyway, I think I like my solution better.

My program looks up the server's IP address at http://www.anti-abuse.org, which, in turn, checks the IP address against several other RBLs at once. I'm probably going to configure Nagios to perform this check a few times a day, at most.

Here's the program:

#!/usr/bin/perl

open CMD, "wget -q http://www.anti-abuse.org/rblresults.php?host=192.168.1.1 -O - |";

while () {
       if (!/listed in /) { next; }
       if (!/NOT listed in /) { $error++; }
}

if (!$error) {
       print "OK\n";
       exit 0;
} else {
       print "CRITICAL: $error\n";
}

As you can see, it's not that complex. It simply sends a query to Anti-abuse.org and looks for the results. I hard-coded my machine's IP address in this case, but it would be trivial to use one of Nagios' variables and send the IP address as a command-line parameter to this program. Then, the program makes sure that each of the results indicates that my machine is not listed on an RBL. If this check fails, we set a flag for later use. Finally, I created a checkcommand.cfg and services.cfg entry just as I did above.

Now I find myself in the awkward predicament of having written a program that I can't test. In order to test this program fully, I'd have to get my server on an RBL list, which I'm not about to do. Even so, I believe this program will work.

I don't know about you, but I live by e-mail, so my e-mail system simply has to work. The problems I had recently demonstrated that my monitoring policy wasn't sufficient. I believe that the new policy would have alerted me to the situation in a timely fashion. But, as is always the case, you can't test for everything, so I'm sure I'm missing something.

Cloud computing has been covered extensively in a number of venues and from many points of view. For embedded Linux engineers and aficionados, one exciting aspect of cloud computing is the sudden interest in thin Linux clients.

The basic concept of cloud computing is the use of resources accessed over the Internet. Combined with clients of limited capability, cloud computing becomes broadly similar to client-server computing over a LAN using dumb terminals or once-vogue thin clients. (The reference to "thin" meant these devices had little or no processing power of their own, relying instead on the processing power of the server.)

Because a great deal of data had to traverse the network, the limiting factor was bandwidth. When graphical thin clients became popular in the mid-1990s, their use was still largely limited to LANs because of bandwidth requirements. The Internet simply wasn't fast enough. But even with this limitation, the benefits of centralization—particularly hardware cost, as computers were expensive and thin terminals were cheap—made it worth the trade-off.

Network computing

This trade-off has disappeared with the rapid growth of readily available high-speed Internet access and the ever-increasing capacity of the Internet backbone itself. The resulting shift to higher throughput makes all kinds of interesting technology feasible.

It is now possible to use a Web browser to perform tasks on a remote server that were previously the sole domain of software hosted on a local machine—even graphics-intensive operations such as page layout or image editing. A large number of companies are creating services to meet the demand. Think of any task you perform locally, and chances are good that some company somewhere is providing that service online, probably at no cost.

This paradigm has also paved the way for new methods of accessing information over networks, including entirely new classes of software and devices. Terminals are no longer dumb, and clients are no longer very thin. For some, the definition of "thin" has grown to include any system that can access the Internet, regardless of its overall capabilities: cellular phones, new devices such as netbooks and mobile Internet devices (MIDs), even re-purposed, older desktop and laptop computers. All clients are thin when the server is as thick, rich, and connected as the Internet itself.

Most industry analysts agree that the use of thin clients—particularly cellular phones—is rising dramatically. In fact, thin clients are expected to be the primary method of accessing the Internet for a majority of people in the world within the next few years.

The network has finally become the computer, as John Gage predicted back in 1984.

Back to top

The bottom line

Usefulness, however, is not always the primary factor that determines wide-scale adoption. A more accurate determination can be made in terms of absolute cost—especially when adoption is considered in developing countries—as well as relative cost in relation to value. A client's thinness bears a direct relationship to its cost, because less capable systems are less expensive to produce. Similarly, the cost of cloud-based software is directly related to its large-scale adoption.

Creative markets and the cost-value ratio

Cloud computing, along with supporting technology like thin clients, is driving organizations to consider creative methods of financing and marketing. For example, One Laptop Per Child (OLPC) produces extremely inexpensive devices (currently in the US$200 range), structure the software around education, and market to governments of developing countries rather than to individuals in order to create educational opportunities in countries that previously had no Internet access or technology education at all. This kind of activity, although eventually profitable for the company, is also beneficial to the world in general.

OLPC's story also points out the importance of considering cost in relation to value. Consider the total cost of a "thick" client. Think of a technical writer at a laptop computer in a coffee house. This laptop may contain all the resources available to complete the project—a word processor, page-layout program, diagramming tools for graphical insets and illustrations, and conversion tools for XML and PDF—all in the self-contained universe of that laptop, which may cost US$2,000 and have similar capabilities to a desktop machine. The software could cost as much as the system itself, resulting in a US$4,000 total investment.

In contrast, that same writer in the same coffee house may work on a thin client—a much smaller, resource-constrained system that literally costs one-tenth as much as the expensive laptop. Thanks to the software and storage available in the cloud, this thin client may have no moving parts, a very simple processor, and just enough resources to run a modern Web browser and a fast network connection, but the writer has as many—possibly even more—resources at hand than the local user, as well as the safety of knowing that his or her work will survive even if the battery dies or the laptop itself is stolen.

The software available in the cloud can produce documents of the same quality with similar levels of control over the end product, yet it is absolutely free, subsidized by corporate adoption, by advertising, or by some other creative monetization process. Total investment by the user: US$200.

Back to top

Penguins in the clouds

The best operating environment for a thin client designed around cloud computing has the following characteristics:

• Highly customizable
• An inexpensive or even free operating system
• All necessary applications inexpensive or free
• Networking built into the operating system core
• Small enough to fit into tiny devices
• Flexible and powerful enough to run full laptops
• Miserly enough to conserve battery life to a maximum degree

Linux meets all of these criteria. It is taking over in the mobile space, the enterprise space, and the embedded space, including dedicated consumer devices such as book readers and set-top boxes. And with virtualization, Linux can also run applications built for the Windows®, Mac OS X, and other operating systems.

Linux: the operating system for the cloud

Linux has matured and become viable as an embedded operating system; its freedom—both in terms of cost and royalty-free licensing—has revolutionized a market that once was dominated by only a few players who demanded stiff per-unit royalties. Linux now has real-time support as well as structured driver support with a flexibility never dreamed of for proprietary real-time operating systems, and the availability of relevant applications is unprecedented. Linux is the basis behind at least four new netbook operating systems, leads the explosive growth in smart phones, and is slated to continue to absorb market share over the next 5 to 10 years.

The flexibility, developer control, power-management facilities, and overall stability of Linux also make it well suited to older, recycled systems. You can give older machines a new life by loading Linux instead of (or in addition to) the host operating system.

Applications for accessing the cloud

What about applications? Something beyond the operating system is required in order to gain access to the cloud, and cost must be considered here, as well. The cloud has made thin clients possible, but the key to making them inexpensive is limiting the cost of the software to run them.

As most developers know, some of the most powerful network-oriented applications available are completely free, including Web browsers (such as Firefox, Opera, and Chrome), e-mail software (such as Thunderbird and Evolution), instant messaging (such as Pidgin and Trillian), and multi-platform application environments (such as Java™ technology). The combination of just these four application types alone would make a formidable thin client, all completely free.

Note, however, that free, open source operating systems and applications do not mean that you can make a device completely without cost. As noted open source developer Jamie Zawinski famously said, "Free software is only free if your time has no value." You must accept a certain amount of work to design and implement systems based on free software, just as you must do when evaluating proprietary software. However, because the base product is free and its source code is available, the value gained for that time is far higher for free software than for paid software, even if the process itself takes a little longer.

It is no wonder that there are over 100,000 embedded Linux developers currently, and the number is growing.

Back to top

What thin clients currently exist?

This section describes several types of thin clients on the market today. Many of these clients are new devices still finding their niches in the hearts of consumers and enterprises. All share a few common features: they have little storage and processing power of their own relative to the functions they are designed to perform, they are all designed around cloud computing, and they all run operating systems based on Linux and other open source software.

Netbooks

A netbook is a small, underpowered (by modern standards), yet fully functional laptop, usually supporting wireless networking. Netbooks are designed to be used as thin clients, and many have no fans or disk drives.

Examples include the OLPC XO, the Asus EEE PC, and the MSI Wind. Most run full-scale Linux distributions like Fedora or Ubuntu, although some have distributions developed for them specifically, like OLPC's Linux-based Sugar operating system, which was developed by educators as a learning environment. The Sugar interface is also available to run on a standard Windows or Apple system (see Resources for links to more information).

MIDs

A mobile Internet device (MID) is a very small-scale device with a touchscreen and, optionally, a thumb-sized keyboard. Also known as ultra-mobile PCs (UMPCs), MIDs support wireless networking and are designed specifically for mobile use. (They are roughly the size of cellular phones.) The principal difference between netbooks and MIDs is size, because many use the same processors, although MIDs are generally less capable: they have less storage, less memory, and smaller screens.

Examples include the Nokia N810, the Sony Vaio P, and the Acer Aspire ONE series. Nearly all devices known as MIDs run some variant of Linux. The Nokia device in particular runs Maemo, a combined kernel and middleware platform whose user environment is relatively constrained and optimized in order to keep resources available for applications, although some developers have created alternative desktop environments. Also available is Ubuntu MID Edition, which can be built together with Moblin on Intel®-based middleware sets, to yield a powerful operating environment.

Smart phones

These overgrown cellular phones, which started out as enterprise devices capable of reading e-mail and browsing the Web, have exploded in popularity. Many come with thumb keyboards and fast, always-on Internet connections because of the simultaneous massive growth of 2.5G and 3G cellular telephone data networks.

Examples of smart phones with keyboards include the new Palm Pre, the HTC G1, and the OpenMoko project. Some without keyboards include the Motorola Krave ZN4, the Samsung Anycall SCH-i859, and the Emblaze Mobile Edelweiss, and the Purple Magic reference design from French company Purple Magic. All of these phones are based on Linux.

Many new phone designs running variants of Linux have recently been announced. Linux distros designed specifically for smart phones include Android (a Google product) and software based on LiMo, a smart phone standards organization.

Dedicated devices

Some dedicated devices also rely on the network for their primary functions. Electronic book readers must have some method of downloading books: The Amazon Kindle uses a cellular-based network connection to connect directly to Amazon's server. (Note that the Kindle runs Linux.) Other dedicated, network-capable devices include the TiVo digital video recorder (DVR) and the Roku Netflix Player video-streaming set-top box, both of which run Linux.

Hybrid devices

There is a new device entering the market that might best be called a hybrid cloud computer. It is a standard office laptop with an interesting twist: a thin Linux-based client built directly into the hardware that shares the keyboard, screen, and network connection. It may seem strange to have two computers in one case, but the utility becomes apparent when the thin client turns on and connects instantly like a cellular phone, stays on for up to 18 hours with a standard battery, and goes to sleep so the user can boot into the larger machine whenever necessary. It is a true cloud machine with a local backup.

The only current hybrid device is the Dell Latitude E4200/E4400 series (the capability is called Latitude ON), but more such devices are planned in the near future.

Back to top

Green penguins, green clouds

There are environmental benefits to both cloud computing and the use of thin clients based on Linux.

Cloud computing centralizes resources, which means that all the hard processing happens on large, fast machines somewhere out there "in the cloud." Some companies—Google in particular—have taken this concept to heart by locating server farms physically close to power-generating stations, as they have in Oregon and in Eemshaven, The Netherlands (near a large set of windmills). Because much of the efficiency of electrical power is lost in transport, this is good for the planet as well as for the company. Google has also (famously) patented a floating wave-powered server farm, which would not only be co-located with its power source but would also be totally sustainable.

There are additional benefits to thin Linux clients. First, they are "thin," meaning that they contain low-powered hardware and thus use much less electricity than expensive laptops. Second, they run Linux, which has many advantages related to power management, even on older hardware.

Third and most importantly, Linux runs practically everywhere. Rather than consigning an old computer to the e-waste scrap heap, give it a new, inexpensive hard disk—or just boot from a CD or a USB flash drive (UFD)—and re-purpose the computer as a thin client.

The earth will thank you.

Resources

Learn

• Read "Automating Linux Cloud Installations" (developerWorks, November 2008) to learn how to make cloud-based Linux installations automatic on IBM POWER systems.
  
  
• In "Cloud Computing with Linux" (developerWorks, February 2009), you'll get more details about using Linux in the cloud.
  
  
• "Architectural manifesto: An introduction to the possibilities (and risks) of cloud computing" (developerWorks, February 2009) gives details about the pros and cons of cloud computing.
  
  
• "Cloud computing with Amazon Web Services" (developerWorks, July 2008) discusses cloud computing with an Amazon focus.
  
  
• "Linux system development on an embedded device" (Anand Santhanam and Vishal Kulkarni, developerWorks, March 2002): This is an older but still very relevant article on porting Linux to embedded devices, making them thin Linux clients.
  
  
• Check out Linuxdevices.com for news on embedded Linux and thin clients.
  
  
• Meld is an online community for embedded Linux developers.
  
  
• Wikipedia's thin clients entry centers mostly around enterprise thin clients but also describes the concepts well.
  
  
• In the developerWorks Linux zone, find more resources for Linux developers, and scan our most popular articles and tutorials.
  
  
• See all Linux tips and Linux tutorials on developerWorks.
  
  
• Stay current with developerWorks technical events and Webcasts.
  
  

Get products and technologies

• Some popular, free Linux environments suitable for thin clients include:
  • Ubuntu MID Edition
  • Maemo
  • OLPC's Sugar
  • Moblin (Note: Moblin is not an operating system but middleware that can be packaged with many Linux distributions.)
  
  
• With IBM trial software, available for download directly from developerWorks, build your next development project on Linux.
  
  

Discuss

Get involved in the My developerWorks community; with your personal profile and custom home page, you can tailor developerWorks to your interests and interact with other developerWorks users.