Archive for 2007

Making shell scripts executable via editor hooks

If you spend a lot of time creating new shell scripts, be they plain shell or scripting languages such as perl or python, then it can be very useful to make new scripts be executable by default. Here we'll show two simple recipes for GNU Emacs and vim to do just that.

MIT Kerberos installation on Debian

The purpose of this Guide is to give you a straight-forward, Debian-friendly way of installing and configuring Kerberos. We will go through introduction to Kerberos, installation, configuration, PAM config and setting up of encrypted telnet/ftp session to the server. We will show how to use Kerberos logins as a replacement for SSH keys, and how to use standard (optionally encrypted) telnet/ftp connections instead of SSH.

Debian Administration website design contest!

The current look of this site hasn't changed much for the past two years, apart from a few additional CSS rules being used by default in article texts. Whilst the content here is hopefully of sufficient quality to allow the current design to be tolerated I'm sure we can do better.

Using one time passwords to temporarily open firewall ports
I use Xen to create multiple locked down virtual machines that to run services which I want to present to the internet I do not allow direct connections from the internet to my firewall but sometimes there's a need to do remote administration (via ssh) so I can temporarily open up one or more ports. This I do with a webpage where an OPIE (one time password) challenge should be entered.

Migrating mailman lists

A couple of weeks back we had to migrate a few mailman based mailing lists across to a new server. Migration was successful and we had minimum downtime, since no changes were applied to the lists, they were simply moved to a new home. Here is how we did it.

schroot - chroot for any users

From manpages: schroot allows the user to run a command or a login shell in a chroot environment. If no command is specified, a login shell will be started in the user current working directory inside the chroot.

Using the X clipboard from the command line

Ever want to copy the output of a command to the clipboard and paste it elsewhere? How about pasting into the input of a command? xclip lets you do exactly that.

Creating simple transactions for shell scripts with mercurial

I've recently started to use mercurial to add a crude form of transactions to a set of shell scripts I wrote to automate some system administration tasks (installing mediawiki, tiddlywiki, fudforum, mailman, postfix satellite ...).

Scalable Public Key Infrastructure for both OpenSWAN and OpenVPN

User management and the related cryptographic authentication infrastructure is a major hurdle in deploying scalable, manageable VPNs (Virtual Private Networks). After introducing VPNs and Public Key Infrastructure (PKI) and discussing some of the benefits and challenges of two popular VPN implementations, we'll document how to build a scalable PKI to simplify VPN authentication management.

Filtering P2P network traffic with ipp2p

Large and medium size corporate institutional networks suffer now a days from "smart" users who try to get their latest Movie/soft/Music/TVShow downloaded in their office.

Debian FTP-master downtime & a new mailing list

Users of Debian's unstable branch, sid, will have noticed that their systems haven't been updated over the previous few days. This is because one of the core Debian machines is unavailable.

An introduction to the visual features of GNU Screen

Many people here use GNU Screen, and I've not seen extensive coverage of the things you can do with the status-line in the past, so I thought a brief overview of a couple of visual settings wouldn't be amiss. Read on for more details.

Downloadable chroots for Debian, Ubuntu, and Fedora Core

I'm a frequent user of vserver and I like to create fresh installations as quickly as I can, for packaging or test purposes mostly. Unfortunately there aren't many current images available for download. So I made my own.

Interception of files with tcpdump

If you're like me you want to know whats going through your home network. Here is how to use tcpdump, tcpflow and foremost to intercept and extract unencrypted files.

Setting up a search engine for your website

If you run a website and one people to be able to search it then installing a local spider to crawl your site and create a small database of your content which users may search is a relatively straightforward thing to do. Here we'll look at using mnoGoSearch - which is packaged for Debian and simple to install.

Debian way to make tiny change to package

Have you ever had to make a one-line correction (or customization) in a big package? If so how did you manage it? The obvious way is to rebuild a package and serve it locally, but is there some other approach?

Egroupware server with LDAP backend

Egroupware is a webbased groupware suite with an impressive list of features. Egroupware uses a Mysql backend to store all it's data but the latest release makes it easy to store useraccounts in an LDAP tree. This documents describes how to install the latest version while using an LDAP backend for useraccounts. Egroupware can then manage the unix loginaccounts as well as samba login accounts.

Introduction to Cereal - the serial line management tool

Many people view serial ports as antiquated, out-dated connectors taking up space on their computers. However, serial ports still offer one of the best ways to communicate reliably and simply with a machine. For example, a serial port can be configured to act as a full-featured system console. This article describes how you can use cereal to monitor, log, and control access to serial lines connected to the consoles of other computers.

Export your block devices with AoE

Imagine you have a machine with all of his disk full and another with unused Gigabits, and you don't want to move the data from one to other. Why not using the second's disk on the first, you can do it with iSCSI but you can do it with ATA over Ethernet (AoE) too. It's the second method I'll explain is this article.

Are firewalls useful?

For many years I've been configuring servers without firewalls, and generally find this a good way to do things. However several people have recently questioned my judgment on this manner, so I'm interested in hearing your thoughts.

Use ssh on multiple servers at one time

Lots of us have many server to manage and we perform the same tasks on each of the machine every day, if you want to save time the package cssh will make you happy!

Creating dynamic swap space

When a GNU/Linux machine runs out of physical memory it will start to use any configured swap-space. This is usually a sign of trouble as swap files and partitions are significantly slower to access than physical memory, however having some swap is generally better than having none at all. The size of swap allocated to files, or partitions, is usually chosen arbitrarily with many people adopting the "double the memory size" rule of thumb. Using a dynamic system can ease the maintainance of this size.

Updating your timezone data for daylight savings changes.

Daylight savings time in New Zealand has changed to start one week earlier than last year, but in order for your Debian or Ubuntu system to automatically do the right thing on September 30th, it will need to be updated. Fortunately this is easy for etch, Ubuntu feisty and later releases, as updated tzdata packages are available in their respective proposed updates repositories. However, the situation is more complicated for sarge, so this guide looks at a solution. This may be of future value to others who find their system's timezone data lags behind real world changes.

Controlling the size of the $PWD in bash

Debian shows the absolute path in the command prompt by default, and it can be really long, sometimes. This can take up valuable space in your shell windows.

Site downtime [Completed]

The machine hosting this site is suffering from a failing disk, and will be shut down shortly so that a new drive may be fitted. Update: Migration complete.

Giving yourself a quieter SSH login

Usually when you connect to a server remotely, via ssh, you'll be shown the "message of the day", the last time you logged in to the machine, and other details. Here's a simple way to disable that behaviour.

Using kvm, or kqemu, to speed up qemu

Have you ever wanted to play with a new distro without having to burn and then reboot into a liveCD or do an install into a spare partition that you may or may not have? QEMU has been an option for awhile but it is slow. There are several options available to run up a virtual machine, i.e. a second operating system running inside and seperate from your already running operating system. Here we will be focusing on kqemu and kvm.

Installing and optimising the Drupal CMS on Debian Etch

Drupal is an excellent free software content management system, written in PHP. It's a good choice if you have to build a new site for non-technical users or customers, as both content editing and site administration can be done directly in the main site by authenticated users, and there's very little markup for those users to learn.

Bash eternal history

Many times I've found myself using Ctrl-R in Bash to get a old command four times the terminal width, just to find out that too many days have passed and it's no longer in the .bash_history file. Here are two lines that will keep track of every command line you type at the bash prompt and use no external processes at all, just plain bash.

Working with network block devices

There are times when you have a machine, or two, which is short of disk space and yet you have spare capacity elsewhere upon your LAN. For these times using a Network Block Device could come in handy. This allows you literally export files as block devices remotely.

Spam filtering with qpsmtpd

There are many methods used to fight spam which are tied to particular mailserver implementations. This means that unless you're using that specific software you cannot take advantage of them. A simple means to adding additional anti-spam checks to your mailserver is to place it behind an SMTP-proxy. One common proxy is the extremely flexible qpsmtpd server.

Filtering traffic based on thousands of IPs efficiently

Trying to insert 70.000 rules in iptables on a recent machine takes about an hour and going through these rules for each packet is even more of a burden. But iptables can send packets to userspace to be handled there. This article describes how to filter network traffic based on thousands of IPs with a new tool called nfqueue efficiently.

Setting up a Layer 3 tunneling VPN with using OpenSSH

This article describes how to use the new tunneling features of OpenSSH V 4.3 to establish a VPN between two Debian or Debian-like systems. Note that by tunneling I am referring to layer-3 IP-in-SSH tunneling, not the TCP connection forwarding that most people refer to as tunneling.

Automated GNU/Linux Installation CDs by the Truckload

A few days ago, HP unveiled the latest version of their LinuxCOE (Linux Common Operating Environment). In as few words as possible, LinuxCOE allows you to set up a web page where you can make customized GNU/Linux installation CDs that can install a Linux distribution without any human interaction. This is very handy if you often have a lot of PCs to set up with GNU/Linux, and it is especially useful if those PCs all have varying hardware characteristics (different hard drive sizes etc.). If you want to see LinuxCOE in action, check out Instalinux, which is powered by LinuxCOE, and generate your own CD immediately :)

Setting up multiple Vservers for home gateway testing

This setup might have other uses which I haven't thought about, but this was the scenario I had. I was working with testing home gateways, DSL/Ethernet/fiber, and had a lot of them. In an ideal world I would have one computer for each device acting as a "regular home user's computer", but that would require space/cooling/whatnot. When the number of devices went above ten, that was not really a practical solution anymore. Instead I setup a bunch of vservers.

Resizing Encrypted Filesystems

Yes! You can grow an encrypted partition, as long as the size of the underlying block device grows first. If you have an ext3 filesystem on the encrypted partition, you can even grow the (encrypted) filesystem without unmounting it. This article gives a brief overview of how it is done.

Blocking ad servers with dnsmasq

I was chatting with a colleague over IRC on Tuesday and he was complaining about the new update for Bind9 that broke his automatic blocking of ad servers. Naturally I was curious and asked him what he was talking about..

Running 32-bit Applications on 64-bit Debian GNU/Linux

Advanced Micro Devices (AMD) developed a series of 64-bit extensions to their 32-bit RISC-based Intel IA-32 (i386) compatible processors. AMD sell their AMD64 (x86-64) architecture processors under a range of names: Athlon 64; Turion 64; Phenom; Opteron and Sempron (only the latest generation).

A brief introduction to xen-tools

It is no secret that I'm a big fan of the open source Xen virtual machine hypervisor, and I've written several tools to make using it under Debian GNU/Linux more straightforward. Here we'll take a quick look at using xen-tools to easily create new Xen guest domains.

Question: how can we help more people use OpenPGP?

I use gpg and other associated OpenPGP infrastructure a lot these days, but it's taken me a long time to get up to speed with it. The growing use of gpg across the debian project (including the introduction of OpenPGP-signed APT repositories) has helped me immensely. I have friends and colleagues who use OpenPGP systems to varying degrees (including some not at all). Some of the folks who use it rarely (or not at all) are interested in learning more. I'd like to help the system spread, as i think it's the best infrastructure we have for seeing real decentralized, end-to-end cryptographic communications.

Using proprietary i386 apps on an amd64 system

There's nothing like switching hardware architectures to make you realize one of the big advantages of free software: you can recompile all your free tools to use the new system. But what happens when you have a handful of non-free apps that were built for the old arch and you need to continue to be able to use them?

SSH with authentication key instead of password

SSH is a must use tool for system administrators. However, residing access security on a human entered password is not very wise. Script kiddies may break into your system due to a lazy user with a weak password. And

Making Debian packages from proprietary software

One of my main goals for a managed infrastructure is to make sure I have consistent versions of end-user applications installed everywhere. My users aren't too picky about the version of xemacs installed, but they've got pretty stringent requirements on having a particular version of ANSYS, Abaqus, Fluent, Maple, Matlab, and other large non-free/no-source-available software packages. And they don't all agree on which version should be loaded, so I keep several loaded at once.

2/2: An introduction to using Puppet

In our previous introduction to Puppet we covered installing the client and server, such that a small LAN could be configured centrally. Here we'll demonstrate some of the things that can be done with such a setup.

Preparing a machine to instantly deploy in case of a failure?

This must be a common problem, but I can't find the canonical solution. We have two identical machines running a few medium size websites. One is a production machine, the other is an identically setup machine used for development. We want to be able to deploy the development machine quickly in case of problems with the primary server - how should we go about that?

1/2: An introduction to using Puppet

Puppet is a relatively new system configuration and management tool which can be used to administer a large number of machines. It is similar to CFEngine, but written in Ruby. In this introduction to working with Puppet we'll demonstrate how to install it, and use it upon a small LAN.

Setting up new users and handing out their details?

I am the administrator of a small computer lab, and I would like to automate the creation and initial setup of new user accounts - such that each new user can be given a printout of useful information and their account details. Is there some packaged software to do this simple job?

Multi-arch installation: x86 and amd64

Since I bought my first amd64 system, I have been developing a solution to make the best of the new amd64 and the old x86 architectures work together. There are many documentation out there, but most are incomplete or obscure.

A brief introduction to mutt-ng

mutt is a well known and much loved mail client well suited to the efficient handling of a large volume of email. One of the things which makes it so powerful is its extreme flexibility and customisation options. The next-generation mutt package builds upon the core mutt with some additional features; most noticeably the introduction of a sidebar, which this article introduces.

Mounting file-systems by label rather than device name

When you're dealing with multiple drives, both fixed and removable, it can get hard to remember which is which. Remembering to mount /dev/sda1 in one place and /dev/sdc5 in another. The solution to this problem is to use labels instead of partition names when referring to them, and here we'll show how that can be done.

A couple of minor ext3 performance tweaks

The ext3 filesystem is probably the most common filesystem used upon GNU/Linux machines. It isn't necessarily the fastest, the best, or the most modern filesystem but it does perform adequately for the majority of users.

Which control panel(s) do you use?

There are several control panels available for Debian GNU/Linux which allow you to use a web-browser to manage virtual hosting for websites and email. If you're using one I'd love to hear why you chose it, what you like about it, and what is missing.

Create "chroot jail" for bind

This article will explain how to create a chroot jail for bind8. This effectively makes bind oblivious to the rest of the (file)system beyond it's chroot directory tree. Therefore security will be increased, because if bind due to some crack attempt allows shell access one can not go beyond the chroot environment.

Country-based packet filtering with iptables

Bruteforce attacks shouldn't pose a real security risk to any server but are still annoying and clog up your logfiles. Many methods to block these break-in attempts exist, like BlockHosts, Fail2ban or rate-limiting incoming connections. However, on my search I also came across one tool for which I couldn't find an easy guide: geoip. geoip is a module for netfilter/iptables and allows you to filter packets based on the country they come from or go to. Following is a step-by-step guide on how to install geoip.

Site downtime, Saturday 14th April 2007

I'm just posting this to give advance warning that this site may be unavailable for parts of Saturday morning. Hopefully the downtime should be only a couple of hours at the most.
Update: Etch upgrade complete. No significant issues.

Receiving notification of new upstream software releases

If you're responsible for creating the Debian packages of a piece of software which isn't in the Debian archives, or if you're a Debian-developer keen on keeping your package up to date you will need to be aware of any new software releases which should be packaged. Here we'll show a simple means of doing that.

Executing commands upon remote machines via secure email

I recently came across the grunt package which is designed to allow you to execute commands remotely, via the delivery of GPG-signed email. Since documentation is scant this introductory article was born.

The Debian Project announces the release of Debian 4.0

The Debian Project is pleased to announce the immediate availability of their next stable release. Debian 4.0, codenamed Etch, was officially released today, after 21 months of constant development.

Restrict Access To Your Private Debian Repository

There are many times where it is useful to setup a small repository for apt-get to install packages from. The downside of placing such a repository in a publicly available place means that other people might start using it. Here we'll look at a couple of simple ways of restricting access.

Software RAID5 and LVM with the Etch Installer

Our team at LinuxForce recently put together a Debian server with LVM on a software RAID5 volume. This has been possible through complex installation procedures in the past, but today the Debian Etch installer is capable of handling such an installation if you follow the proper steps, which I outline in this article.

Antivirus and Antispam setup with Exim4

Last week, due to disk failure, we had to reinstall a server. This old workhorse has been serving numerous domains for the past 4 years and needed urgent maintenance. I made sure that I noted all the steps involved in implementing an Antispam & Antivirus filtering capable mail server when setting it up from scratch, and this article is the result.

Implementing cost effective dual factor authentication

A great way to improve security on your systems public services is to add an extra factor to your authentication scheme. Here we'll show what that means and how it works.

An introduction to the XMMS2 package

Over the past few years I've used the venerable XMMS application for playing back all my audio content. After reading recently that this project has been mothballed, seeing no future updates, I decided to try the successor project XMMS2. Here's how I got on.

Using RADIUS to authenticate users with RSA SecurID

Recently I was tasked with authenticating users who carry RSA SecurID tokens. I was highly inspired by Jeff Wirth and his success using RADIUS to authenticate with SecurID Tokens on FreeBSD. While I'm not a fan of non-free software, it's possible to make each server authenticate against the non-free RSA Ace server using only free software. This isn't a perfect solution but it's useful when such a requirement is thrust upon you.

Writing shell scripts which execute locally or remotely

There are a lot of times when it is useful to have a single shell script run both upon the local host, and also upon remote hosts. Here we'll show a simple trick which allows you to accomplish this easily.

Using truecrypt-installer to help install Truecrypt for Debian

Update: The project page hub for latest utilities is at Freshmeat.

Booting Xen 3.0 guests using NFS

One of the nice things about using Xen is that it doesn't require much setup to create new guests - just a loopback file or two, or an LVM partition. If you use NFS to store your remote systems you don't even need that. Here we'll give a quick example of booting Xen guests which will mount their root file-systems via NFS.

Downloading Debian source packages easily

To download the source of a package contained inside a Debian repository, whether official, or unofficial, is a straightforward operation using the apt-get support for "source lists". However downloading a package source which is stored upon a remote webserver can be a little fiddly - requiring multiple files to be fetched before the source can be unpacked. Using the dget tool this can be easily automated.

How do you manage your SSH host keys?

When connecting to a new OpenSSH server for the first time you'll be prompted to accept its host key - but how do you know if it is valid? How do you manage SSH keys for multiple machines?

Keeping consistent network interface names with ifrename

If you have multiple ethernet devices upon a system it is useful to make sure they are always given the device names that you expect. This can be useful when you're managing upgrades - or for situations where you accidentally setup a system with eth1 plugged into a switch rather than eth0.

Working with MAC addresses

MAC addresses are often taken for granted, things that nobody thinks about. However there are times when you do need to worry about them. Here we'll demonstrate how to view and change the MAC address of your Debian system.

Generating consistent "random" numbers

Generating random numbers on a collection of machines can be a useful way of ensuring they don't all access a particular resource at the same time. (For example backup jobs to a central NFS server). However using truly random numbers can make things unpredictable - using a machine-specific delay can be the best solution.

Re-creating Debian binary packages with dpkg-repack

If you've installed a Debian package upon a machine, but lost the binary archive, then it is difficult to copy that package to another machine. Thankfully is a simple solution for recreating a Debian package from an installed system.

PHP hardening patch - Suhosin

PHP has a notorious security history, but web hosts have to provide it. Suhosin is a security patch that can be applied to change behaviour of the default PHP install in security related ways, and is now packaged in Debian Etch and Sid, with some of it built into the default PHP builds, and some available as an extra.

Automating interactions with your netgear router

Here is how I wrote some code using Perl to automate controlling my router. I have a NETGEAR DG834 ADSL router and I wanted to control it via ifup/ifdown so, with the help of sudo, I can allow my home users to connect/disconnect to Internet from a debian box.

UnixODBC CLI Install and Configuration

For those of you that may not know what unixodbc does, "ODBC is an open specification for providing application developers with a predictable API with which to access Data Sources. Data Sources include SQL Servers and any Data Source with an ODBC Driver." They include a text file driver as an example of a non-SQL source. Two examples are Asterisk and

Running Ruby applications with Mongrel and Apache2

When you start working with Ruby on Rails applications you're probably content with using the integrated HTTP server, webbrick, for development. Once you're using them in production though you'll want something more capable. This is where mongrel comes in.

Getting X11 forwarding through ssh working after running su

X authentication is based on cookies -- secret little pieces of random data that only you and the X server know... So, you need to let the other user in on what your cookie is. One way to do this is as follows:

Using the nvidia binary driver with Xen on Debian etch

I recently set up Xen 3.0.3 on Debian etch using the great guide here from this site. However, if (like me) you use the binary Nvidia driver rebooting into your new XenLinux kernel your server will fail to start. If you read its error output, you will see that this is because it cannot find the nvidia kernel module. Here we'll show how to fix things.

Debugging system freezes

Sometimes your Debian box hangs, and for a strange reason, there is no debugging information printed on your screen. What options do you have?

Automatic package update nagging with apticron

Do you need your machines to automatically alert you when new packages are available? apticron might be just the package you've been looking for.

Reporting Debian bugs without a working MTA

Debian makes heavy use of it's bug-tracking system for allowing users to inform developers which problem need fixing. However, it normally requires you to have a working MTA that connects to the Internet. This article shows that you can still report bugs even if you don't have a working MTA for any reason.

Connecting to office network using OpenVPN tunnel

I wrote this article because I think that it will be useful for the people that are using Debian GNU/Linux as their home desktop and want to connect to the corporate LAN protected by CheckPoint VNP-1/NG VPN server.

How to make *.deb packages from Truecrypt sources

SMTP via a SSH tunnel

Suppose you have an email account and a shell account on a Unix server. Furthermore, suppose that you yourself use a laptop and download your mail from the server by POP3 or IMAP, and send it via SMTP using the server as a smarthost. Now imagine that for some reason ( your dynamic IP, your geographic location, evil admins in your local network ) SMTP access is denied. What can you do?

Managing Laptop Network Connections with KWLAN

KWLAN is a very handy network connections manager for the KDE desktop. The main features are auto-detection of multiple interfaces, ability to use wpa_supplicant wireless security, and scripts that run for each connection profile created.

acct across a network with centralized LDAP authentication?

I have set up a network with centralized user authentication through LDAP and access to home directories with NFS. I would now like to monitor user's connection time and usage, but across the network, rather than on a per-machine basis.

Running GNU/Linux Debian s390 under a i386

Using the hercules emulator it is possible to have your system emulate an IBM mainframe! Here we'll give a brief overview of using the emulator to install a pre-made image of Woody, giving you a Debian GNU/Linux S390 system.

Past Years