Category Archives: Software

Enabling Touchpad Tap-To-Click in Kubuntu

Kubuntu, the KDE flavour of Ubuntu, seems to work very well out of the box when installed on a new machine, needing very little configuration. One instance where you need to take that extra step is to allow taps on a laptop touchpad to be interpreted as clicks. For some reason I can’t imagine, this is not enabled by default.

Note: I’m using Kubuntu 20.04 LTS with KDE Plasma 5.18.5.

To enable this, you need to go into System Settings -> Input Devices -> Touchpad. You can reach the Touchpad settings directly by searching for “touchpad” in the search box (top-left in System Settings).

In Touchpad settings, enable “Tap-to-click”.

Once in the Touchpad settings, all you need to do is enable the “Tap-to-click” option. Once this is enabled, there are additional settings you can customise, but there’s typically no need to change them.

Getting Started with Unity3D on Linux

If you have any sort of interest in game development, you’ve probably heard of Unity3D. And if you’ve used it before, you probably know that it has for a long time been restricted to Windows and Mac in terms of development platforms. That changed recently, when they added support for Linux. In this article, I’ll show you how I set up Unity3D on my Kubuntu 20.04 installation, and if the distribution you’re using is close enough, the same steps will likely work for you as well.

First, go to the Unity3D Download page and grab the Unity Hub.

Download the Unity Hub, then open it.

After Unity Hub has finished downloading, run it. It’s a cross-platform AppImage, so you can either double-click it or run it from the terminal.

You have no valid licence… you filthy peasant!

Register an account on the Unity3D website if you don’t have one already. Once Unity Hub loads, it immediately complains about not having a licence. If you click “Manage License”, it will ask you to login. You can click on the resulting “Login” link, or else click the top-right icon and then “Sign in”, to log into Unity3D from Unity Hub.

This is where you sign in.
Reject cookies and login. Social providers are under the cookie banner.

Click “Reject All” to opt out of cookies. Then, sign in using your email address and password. Alternatively, if you log into your account using a social identity provider, you’ll find different providers’ icons under the cookie banner.

Now you’re back in the Licence page of Unity Hub. Wait a few seconds for it to activate, then click the “Activate New License” button:

After logging in, you can activate a new licence.

In the next window, select whichever options apply to you. If you’re just a hobbyist, Unity3D is free, so you can select the radio buttons as shown below. Click “Done” when you’re ready.

Choose the relevant options. Unity3D is free unless you’re a company making $100k or more.

You now have a licence! Click the arrow at the top-left to go to the Projects section.

Armed with a licence, go out of Preferences and back to the main sections.

If you try to add a new project, you’ll realise that you need to install a version of the Unity3D editor first. Head over to the Installs section to do this.

You can’t create a new project before you install a version of the Unity3D editor.

In the Installs section, click the “Add” button:

Add a version of the Unity3D editor from here.

Choose whichever version you prefer. The recommended LTS version is best if you need stability; otherwise you can use the latest and greatest version with the newest features.

Choose which version of the Unity3D editor you want to install. The recommended LTS is better for stability; if you’re just starting out, you don’t really need that and can go for the newest one instead.

Click “Next”, and you can now choose which platforms you want your builds to target and what documentation you want. If you’re just starting out, keep it simple and just leave the default “Linux Build Support” enabled. You can always add more stuff later if/when you need it.

Choose which platforms you want to target, and which documentation you want to include. If you’re just starting out, you don’t really care.

Click “Done”, and wait for it to install…

Grab some coffee.

When it’s done, head back to the Projects section. Click the “New” button to create a new project.

In the next window, select the type of project (3D by default), give it a name, and select a folder where your Unity3D projects will go (the new project will be created as a subfolder of this). Then click the “Create” button:

Choose project type, name and location.

Wait for it…

Nice loading screen…

And… that’s it! The editor then comes up, and you can begin creating your game.

The Unity3D editor, finally running on Linux.

If you need a quick place to start, check out my “Unity3D: Moving an Object with Keyboard Input” tutorial here at Gigi Labs, as well as my early Unity3D articles at Programmer’s Ranch.

Enabling and Enforcing HTTPS on a Subdomain with cPanel

Nowadays, there’s really no excuse not to enable HTTPS on a website, even a small personal one. It’s free and simple. In fact, chances are that whatever host you’re using offers a simple option you can just turn on. In this article, we’ll see how to set this up in cPanel, which is commonly used in Linux/PHP/MySQL web hosting services.

Set up the Subdomain

Subdomains service in cPanel

If you haven’t already, create a subdomain. To do this:

  1. Locate the Subdomains service in cPanel.
  2. Enter a name for the subdomain.
  3. Enter a path to a folder to be used as the document root for the subdomain.
  4. Click the Create button.

Enable HTTPS on the Subdomain

Let’s Encrypt™ SSL service in cPanel

New subdomains will by default run on HTTP, which is insecure. Enabling HTTPS requires an SSL or TLS certificate. To set this up:

  1. Locate the Let’s Encrypt™ SSL service in cPanel.
  2. Scroll towards the bottom of the page, and page through your subdomains until you locate the new one you want to apply HTTPS to.
  3. Click on the Issue action link next to it.
  4. Leave the settings as they are and click on the Issue button.

Enforce HTTPS on the Subdomain

Domains service in cPanel

Enabling HTTPS is only half good if people can still access the site insecurely over HTTP. It’s very easy to automatically redirect people from the HTTP endpoint to HTTPS. To do this:

  1. Locate the Domains service in cPanel.
  2. Locate the new subdomain, which may be on a different page.
  3. Turn on the switch in the Force HTTPS Redirect column.
  4. A success message should confirm that it’s been enabled.

Test the Subdomain

The subdomain is secure and running on HTTPS

To make sure everything is set up correctly, use a browser to ensure that the website at your subdomain is secure.

  1. Wait a few seconds. The redirect you just enabled might not kick in right away.
  2. Use an incognito session in your browser. Otherwise, if you visited the subdomain before enabling the redirect, it’s possible that the browser might still show it as insecure.
  3. Access your domain with the URL starting with https://. Ensure that your browser displays the padlock icon and reports the connection as secure.
  4. Access your domain with the URL starting with http://. Once the page loads, ensure that you are now on https:// and that the browser displays the padlock icon and reports the connection as secure. Optionally, you can also open your browser’s dev tools, switch to the Network tab, and observe a 301 redirect request.

Summary

As you can see, it’s super easy to get HTTPS working on a subdomain in cPanel. Just enable HTTPS for the subdomain, force the HTTPS redirect, and you’re done.

Azure Fundamentals Part 5 Summary

This is a summary of the Azure Fundamentals part 5: Describe identity, governance, privacy, and compliance features learning path. Aside from the usual “Introduction to Azure Fundamentals” module, repeated in every learning path in this series, there are three modules covering identity, cloud governance, and compliance, respectively. If you’re a developer, this learning path is easily the most boring of the lot, but it’s also very important from a cloud administration point of view.

Identity Services

This is a summary of the Secure access to your applications by using Azure identity services module. They love using wordy headings, don’t they?

Authentication vs authorization: who you are vs what you have access to.

Azure Active Directory (Azure AD):

  • Similar to Active Directory, but for the cloud
  • Monitors sign-in attempts, unlike the on-premises counterpart
  • Controls access to other Microsoft services such as Office 365
  • Has the concept of tenants, which represent organisations
  • Is an identity and access management service. It stores information about users (including passwords), and provides control over them (e.g. reset password, multifactor authentication, list of banned passwords, etc)
  • Also provides device management – devices can be registered to control which devices are allowed to access services.
  • Supports Single sign-on (SSO) to access multiple applications with the same credentials.
  • Azure AD Connect synchronises user identities between on-premises Active Directory and Azure AD. Users can use their same credentials to access on-premises and cloud services.

Multifactor authentication provides an additional layer of security over the usual username and password by requiring two or more authentication mechanisms, typically from the following categories:

  • Something the user knows (e.g. username and password)
  • Something the user has (e.g. code sent to mobile device)
  • Something the user is (biometric data, e.g. fingerprint)

Conditional access is a feature of Azure AD that applies multifactor authentication differently based on identity signals. This is basically a rule engine that can do things like request the second factor only if they’re in an unknown location, signing in from an unknown device, or accessing a particular application. Access could also be blocked entirely in some circumstances (e.g. signing in from a high-risk country). Conditional access is a premium feature that requires a special Azure AD licence.

Cloud Governance

This is a summary of the Build a cloud governance strategy on Azure module.

The Cloud Adoption Framework for Azure guides you towards migrating to the cloud. There are five steps:

  • Define your strategy: understand what benefits you’ll gain by moving to the cloud, get everyone on board, and choose the right proof of concept project to kick it off.
  • Make a plan: take stock of what you have on-premises, train up, and make a plan to migrate.
  • Ready your organisation: set up your Azure subscriptions and create a landing zone, basically an environment in the cloud to get you started.
  • Adopt the cloud: start migrating, review best practices, find ways to migrate more efficiently, and study ways to handle more complex migrations.
  • Govern and manage your cloud environments: define processes and policies that will apply to resources in the cloud, and maintain them as they evolve throughout the migration process.

Things to consider when deciding how to organise Azure subscriptions:

  • BIlling: you can create one billing report per subscription, so you can organise subscriptions by department or project.
  • Access control: subscriptions provide inherent isolation (e.g. between development and production environments).
  • Subscription limits: some resources are limited in the amount you can deploy per subscription, so you’ll need to allocate more subscriptions if necessary.

Role-based access control (RBAC) is used to grant or restrict access to resources. These roles are applied to a scope that could be:

  • A management group
  • A single subscription
  • A resource group
  • A single resource

Access control is inherited by child scopes, e.g. assigning a role to a single subscription means it is also applied to all resource groups and resources in that subscription.

RBAC is managed via Access control (IAM) in the Azure portal. RBAC rules are applied to any request to an Azure resource that passes through the Azure Resource Manager.

RBAC uses an allow model, so as long as you have a role that allows you to perform an action, you can do it; and if different roles give you different access (e.g. read and write), then they sum up (e.g. you get both read and write).

Resource locks are a simple setting against accidental modification or deletion. You can use either CanNotDelete (authorised users can read or write but not delete) or ReadOnly (authorised users can read a resource but can’t change or delete it). You can remove the lock to perform the restricted operation (e.g. to delete the resource).

You can use Azure Blueprints (more on this further below) to set a standard for resources across your organisation, which could include enforcement of resource locks among other things.

Resource tags are used to apply metadata to resources. They complement subscriptions and resource groups as another way to categorise and organise things. They help to:

  • Manage resources and locate them easily
  • Report on costs by particular tags
  • Group resources based on criticality and SLAs
  • Classify data security (e.g. confidential)
  • Regulatory compliance (e.g. ISO27001)
  • Run any kind of automation logic on resources with a particular tag

Azure Policy lets you create and enforce policies or initiatives (groups of policies) that apply to resources. To implement a policy, you:

  1. Create a policy definition
  2. Assign it to resources
  3. Review the evaluation results

A policy definition can be used to do things like:

  • Prevent VMs from being deployed in certain regions
  • Restrict which virtual machine sizes can be deployed
  • Enforce MFA on accounts with write permissions
  • Prevent CORS from allowing unrestricted access to web applications
  • Ensure updates are installed on VMs

Azure Blueprints lets you orchestrate things like role assignments, policy assignments, ARM templates and resource groups across your organisation so that you don’t need to set them up for each subscription. Blueprints are made up of artifacts, and they deploy different elements to each subscription (e.g. Allowed locations policy, resources from an ARM template, etc).

Data Protection & Compliance

This is a summary of the Examine privacy, compliance, and data protection standards on Azure module.

Some projects require compliance with certain standards, such as ISO 27001 or government-specific regulations. Azure is compliant with a huge number of these, so it’s quite likely you can use Azure even when working in some of the more regulated sectors.

You can also check the following documents:

  • Microsoft Privacy Statement: how Microsoft manages personal data
  • Online Services Terms: agreement between customer and Microsoft when using services such as Azure or Office 365
  • Data Protection Addendum: more specific about data protection

The Trust Center lets you find information about particular compliance offerings, such as ISO 27001, and how it applies to cloud services on Azure.

The Azure compliance documentation describes how Azure adheres to certain standards, e.g. PCI DSS.

Azure Government is a separate Azure offering for US government. It has the highest level of security, and data centres are physically isolated so they can’t be used by you and me outside the scope of the US government.

Azure China 21Vianet is the Azure offering in China. Microsoft can’t operate Azure directly in China because of local regulations, so they instead offer it via a partner, 21Vianet. Services offered are mostly the same, but they may vary a little.

Azure Fundamentals Part 4 Summary

This is a summary of the Azure Fundamentals part 4: Describe general security and network security features learning path. Aside from the usual “Introduction to Azure fundamentals” module repeated in every learning path in the series, there are only a couple of other modules on general and network security, respectively.

General Security

This is a summary of the Protect against security threats on Azure module.

Azure Security Center is a service that gives you visibility into the overall security of your Azure and on-premises services, referred to as your security posture. It provides ratings against different regulatory benchmarks such as Azure CIS or PCI DSS, and also provides an overall secure score. The Resource security hygiene section provides a breakdown of security warnings by service type.

Azure Security Center also provides additional security capabilities including:

  • Permitting temporary access to VMs that would normally be blocked to outside traffic
  • Controlling which applications can run on VMs
  • Recommendations for hardening network security groups
  • Monitoring system files on both Windows and Linux against tampering
  • Integration with Azure Logic Apps to automatically trigger actions based on threat detection alerts of Security Center recommendations.

Azure Sentinel is a security analytics service (the more formal term would be security information and event management (SIEM) system). It can:

  • Collect security information from different sources
    • Microsoft services such as Office 365 or Azure Active Directory
    • Non-Microsoft services such as AWS CloudTrail or Okta SSO
    • Other sources that use recognised formats including Common Event Format (CEF), Syslog, or REST API
  • Detect threats based on built-in or custom rules
  • Investigate incidents or suspicious activity
  • Use Azure Monitor Workbooks to automate responses to threats

Azure Key Vault is another security-related service used to store secrets, including passwords, encryption keys, and certificates. These secrets can also be protected by hardware security modules (HSMs). Access to the secrets can be easily monitored.

Azure Dedicated Host is a special VM offering where you have sole access to the physical hardware (as opposed to normal VMs which are shared). This can sometimes be required for compliance reasons.

  • A host group contains multiple dedicated hosts for high availability, similar to VM scale sets.
  • Maintenance control provides control over when regular maintenance updates occur, within a 35-day rolling window.
  • Pricing is per dedicated host, not per VM running on it. Additional charges apply for software licencing, storage, and network usage.

Network Security

This is a summary of the Secure network connectivity on Azure module.

Defence in depth refers to multiple layers of defence including:

  • Physical security: physical access to the data centre.
  • Identity & access: control access to infrastructure and change control. This includes use of SSO and multifactor authentication, as well as auditing events and changes.
  • Perimeter: DDoS protection and perimeter firewalls.
  • Network: use access control to limit communication between resources, and ensure any external connectivity (e.g. to on-premises networks) is secure.
  • Compute: secure access to VMs and ensure they have the latest security updates.
  • Application: ensure applications are free of vulnerabilities, and store secrets securely.
  • Data: store and transmit data securely, whether it’s in a database, VM disk, SaaS application (e.g. Office 365) or in other cloud storage.

Data protection is based on the CIA principles:

  • Confidentiality: Use the principle of least privilege to give access only to those who really need it. Protect secrets and resources from unauthorised access.
  • Integrity: Protect data at rest and in transit from tampering. Hash algorithms are usually used to verify whether data has changed.
  • Availability: Ensure services are able to run and that access to their data is not compromised, e.g. by DDoS attacks.

Azure Firewall is a highly available and scalable stateful firewall used to protect resources within virtual networks. It can be configured to allow or deny traffic based on rules including:

  • Source IP address
  • Protocol
  • Destination port
  • Destination address
  • Which domains can be accessed from a subnet

Network Address Translation (NAT) rules can also be configured in Azure Firewall.

Azure Application Gateway, Azure Front Door and Azure Content Delivery Network offer a different kind of firewall known as web application firewall (WAF), which provides protection tailored to web applications.

Azure DDoS Protection resists attempts to overwhelm or overallocate resources by flooding them with requests. This is available in two tiers:

  • Basic: free and automatically enabled. The Azure global network is used to distribute and mitigate attack traffic across Azure regions; it ensures that Azure infrastructure is not affected by DDoS attacks. Includes always-on traffic monitoring and real-time mitigation of common network-level attacks.
  • Standard: provides additional protection for virtual network resources linked to public IP addresses. Adapts mitigation measures via dedicated traffic monitoring and machine learning algorithms.

DDoS Protection can help prevent the following types of attacks:

  • Volumetric attacks: flood the network layer with requests.
  • Protocol attacks: exploit weaknesses in layer 3 or 4 protocols.
  • Resource/application-layer attacks (only with web application firewall): target HTTP endpoints that are relatively slow to process, so many such requests ultimately overwhelm the server and make it unable to process additional requests. This requires the HTTP-aware WAF to mitigate.

Network security groups (NSGs) are like internal firewalls. Whereas Azure Firewall controls what traffic comes from outside, NSGs can be used to allow or deny traffic between resources in a virtual network, based on things like source/destination IP (single address or range), protocol (TCP, UDP or both) and direction (incoming or outgoing traffic).