Archive for 2008

Easy IPv6 connections with miredo

Many services are starting to become available over IPv6, including this site, but the majority of home users cannot access them. If you'd like to see the IPv6 internet chances are it won't be difficult for you though.

Booting Debian in 14 seconds

Many readers will have heard about Arjan van de Ven and Auke Kok's work to boot an ASUS Eee 901 in 5 seconds. Inspired by this work, and because I have the same laptop, I decided to try to reproduce their results. So far I have not come very close to their 5 seconds, but I have made some significant improvements compared to the default boot time for Debian on that machine; this article describes what I've done.

Creating Filesystems with Ruby and FUSE

The FUSE project allows you to create filesystems in userspace - which means you can create a filesystem without having to get your hands dirty and modify your kernel source. This is insanely cool, and can be used for many purposes. Here we're going to look at using the Ruby bindings to create a simple filesystem.

Certificate Authority (CA) with OpenSSL

When you need to run a website (https), mail (ssl/tls) or similar over an encrypted link - you need an SSL certificate. This article will explain some of the choices involved, and how to run your own certificate authority (CA).

Mailman and Exim4

I recently installed Mailman on on my server to provide a mailing list for my extended family. While in the end, I was able to scrounge up the articles I needed by searching the web, many of them were woefully outdated. Here is a short article that pulls together my research and describes in one place what is needed to get Mailman running happily under Debian etch with Exim4.

Hiding comments in configuration files

Although comments can be a blessing in the configuration file of an unfamiliar system, they eventually become annoying if one is already very familiar with the file. In some extreme cases, they can actually be an obstruction to clarity.

Restoring iptables Automatically On Boot

There used to be a script to do it automatically via init.d files, but now the suggested method is to use ifup.d networking scripts, which are executed on state changes of the network interfaces. So I submit here my simple script, which does the trick for me nicely.

Commands you might have missed: apropos

apropos is a standard unix command which is very frequently forgotten. That is a shame as this tool it is to man pages, what google is to the world wide web!

The name of the next Debian Stable Release announced

It was recently announced that the next Debian stable release, the one after Lenny, will be called Squeeze.

Flashplayer for epiphany?

I'm currently running Debian lenny and would like to be able to watch and listen to flash clips online (youtube?) with epiphany - but I'm having problems.

Creating global keyboard shortcuts in GNOME

The GNOME desktop environment is the default for Debian etch, and is one that I use every day. One thing that I always have a hard time remembering is how to setup global keyboard shortcuts, so this quick guide will document the process.

OpenAFS installation on Debian

The purpose of this article is to give you a straight-forward, Debian-friendly way of installing and configuring OpenAFS 1.4.x, the recommended production version of OpenAFS for UNIX. By the end of this guide, you will have a functional OpenAFS installation that will complete our solution for secure, centralized network logins with shared home directories.

Debian GNU/Linux 4.0 updated with support for newer hardware

The Debian project is pleased to announce the fourth update of its stable distribution Debian GNU/Linux 4.0 (codename etch). In addition to correcting several security problems and a few serious defects in the stable release, for the first time in Debian's history an update for a stable distribution also adds support for newer hardware by giving users the option to install newer drivers.

Patching denyhosts to allow correct plugin reporting

Imagine you have denyhosts installed and it is adding new attackers to /etc/hosts.deny. Wouldn't it be great to inform the relevant people so that some action could be taken? With the right plugin that is possible, but there is a problem with the default reporting that we'll explain here.

Commands you might have missed: pstree

If you're using a system which has a lot of users, and you'd like to see who has started a particular script, daemon, or binary, then the pstree utility is very helpful. It draws a tree of all currently running processes - allowing you to see which processes are related.

Commands you might have missed: tree

tree is a very simple utility which will draw a tree of a directory structure. It isn't a command which is generally useful, but it can be very handy to know about if you're writing articles!

Commands you might have missed: watch

There are many times when it is useful to be able to repeatedly run a command, or set of commands, repeatedly. You could do this yourself with a simple shell script, but using watch makes it simple.

Postfix Smarthost using Auth and SMTPS

My email server uses SMTP AUTH with PLAIN or LOGIN. Thus the password is send without encryption (base64 doesn't count honest). The server listens on port 465 so that the password can be encrypted using SSL, if people prefer not to send their password in plain text (my users generally know not to do that, or at least let me set up their mail clients).

Commands you might have missed

There are a lot of articles upon this site, and it appears that many of the most popular are those that are written with the complete beginner in mind. After realizing this I've got a decided to introduce a miniseries covering a few easily-overlooked tools and commands over the next week.

DNS Survivial Guide

Hopefully you've all heard of CERT VU#800113, this is for people who didn't understand it.

Easily forwarding arbitrary TCP connections with rinetd

In the past we've examined the use of firewall rules for forwarding incoming connections from one machine to another. But there is a simpler approach using the rinetd package. Read on to learn about this tool.

Make your own configuration deployment system, part 1

In this series of articles, I describe the steps to making a flexible configuration deployment system tailored to your needs. It can be as simple or as complete as you care to make it. And since you made it, you can understand it intimately.

Question: Best tool for bare metal restore of Debian servers?

I've been doing a bit of searching through the Debian Administration archives and one thing that doesn't seem to have been discussed very much is full system recovery. There are plenty of discussions on different backup options, but nothing targeted at what seems to me the simplest possible backup scenario: protecting a single machine (specifically a server) so that if it is compromised it can be rolled back to a previous state.

Calculate network, broadcast, netmask, etc with ipcalc

Ipcalc is a simple tool to calculate network, broadcast, netmask, etc. from an IP address. It also gives the class of the IP. It might facilitate the work of network admins. :-)

Monitoring with Munin

In this article I will describe how to install munin on 2 computers, but you can add more if you want to, this will allow us to remotely monitor system performance and activity.

Critical security update for openssl

A new security advisory has recently been released relating to the Debian openssl package, and whilst most security updates are not news-worthy this one is. Read on for a brief overview of the problem.

Need a generic iptables tcp proxy?

Do you ever find yourself in need of a generic TCP proxy? Do you wish you could do it with netfilter? Do you want to proxy a connection to a given port on a given IP address to a completely different port on a totally different host or network?

How to use any command in FTP ?

I wanted to use the "find" command on a FTP space but it's not possible to use this command with any "normal" FTP client. So, I looked for a solution.

Logical Volume Management: How PVs form VGs for LVs

When I set out to build my first system using Logical Volume Management I was surprised by the lack of information about how LVM relates to more "traditional" disk-level partitioning. There were plenty of articles with examples of how to use 'vgcreate' and 'lvresize' and no short supply of advice and white noise from the forums, but there was very little practical information about what the various strata of LVM were actually for or how they related to each other. In fact I was well into my search for information before I figured out where to put the file system.

Making Apache2 execute CGI scripts, globally?

I have set up a Debian etch system with apache2, perl etc, but I cannot get apache to actually execute my scripts..

Using the dynamic DNS editor: nsupdate

nsupdate is the little-known brother of nslookup. It is used to make edits on a dynamic DNS without the need to edit zone files and restart the DNS server. If you have declared a zone dynamic, this is the way that you should be making edits.

OpenSSH SFTP chroot() with ChrootDirectory

The upcoming version of OpenSSH (4.8p1 for the GNU/Linux port) features a new configuration option : ChrootDirectory. This has been made possible by a new SFTP subsystem statically linked to sshd.

Checking password strength for squirrelmail

I have successfully used the method below to configure the change_ldappass plugin of Squirrelmail to perform password strength checks using cracklib. I made a few assumptions, but it should be easy to adapt it to your own situation.

Introduction BackupPC part 1

This HOWTO will describe how to install BackupPC and how to create a simple backup using backuppc. BackupPC can offer a nice solution for both simple and complex backups.

pam_mount and sshfs with password authentication

pam_mount is "a Pluggable Authentication Module that can mount volumes for a user session". It is used to automatically mount a network share or volume when a user logs in, and unmount it when the user logs out sshfs is a FUSE filesystem that allows mounting a directory using the SSH sftp subsystem.

Using pam-mount to create a sandboxed home directory

My biggest fear when using a public computer is that the data I enter might fall into the wrong hands. One way for developers to combat data theft is to hold personal info only for as long as is absolutely necessary, thereby shortening the window of opportunity for an attacker. This is possible in Linux through a combination of tmpfs and unionfs.

OpenLDAP installation on Debian

The purpose of this article is to give you a straight-forward, Debian-friendly way of installing and configuring OpenLDAP. By the end of this guide, you will have a functional LDAP server that will serve as a central authentication system for user logins onto all machines in the network, without the need to manually create users' accounts on individual machines.

Struggling to implement PCI compliance

I'm striving to comply with PCI standards, but I'm running into a wall - due mostly to confusing, out-of-date, contradictory, and-or incomplete documentation. Or maybe just my own dense mentality. Does anybody have any guidance help me walk through the security thickets of setting up my Debian-based web store?

Debian amd64: iceweasel with i386 plugins, outside a chroot

If you weren't already convinced that closed source sucked before, then surely the experience of trying to browse the net with an amd64 machine will have won you over;

Redirect if a website root is empty?

This should be a simple problem to solve, but I've yet to find a good solution, so any assistance would be most welcome. If you'd like to redirect to another website if a directory root has no files in it, how would you do so?

Running programs when filesystem events occur

There are many little jobs which people tend to schedule, via cron, which do nothing unless particular files have appeared. These busy-wait style scripts may easily be replaced if you have the ability to execute commands when files are created, or filesystem events happen. Read on to see how to do that.

Sysvconfig: How not to go postal over a service

Demons? Etsee in it? Dot-D? Those are just jargon sounds to laymen, but you might recognize them to mean daemons, and /etc/init.d. If you've ever tried to tell a layman to stop, start, or restart a daemon, you know that it's exasperating. It may take several minutes - the layman doesn't know how to spell etc, he doesn't know a forward slash from a backslash, and he doesn't know what you're saying when you say init.d. Lastly, if he is doing this because you need him to (i.e. he didn't ask you, you asked him), then he probably doesn't know what the command line he just typed accomplishes. It may not be necessary for him to know, but if he's curious, he may ask, which just adds to your exasperation and time needed to get the task done.

Unlocking a LUKS encrypted root partition via ssh

I'm running a Debian server with LUKS encrypted root partition and want to be able to enter the pass phrase local at the terminal or via ssh. This article describes how I achieved that.

Heartbeat2 Xen cluster with drbd8 and OCFS2

The idea behind the whole set-up is to get a High availability two node Cluster with redundant data. The two identical Servers are installed with Xen hypervisor and almost same configuration as Cluster nodes. The configuration and image files of Xen virtual machines are stored on drbd device for redundancy. Drbd8 and OCFS2 allows simultaneous mounting on both nodes, which is required for live migration of xen virtual machines.

How To Migrate to a full encrypted LVM system

The point of this how-to is to describe the way to migrate to a full-encrypted LVM system (rootfs + data) (only the boot partition obviously stays unencrypted), either coming from an LVM system, either from a simple ext3 system. All you need is some kind of external storage.

Cloning a Debian Etch system for redundancy

I am responsible for a production web server that is very critical to our clients and the bread and butter of our company. We have collocated the server, for reliability of power, A/C and Internet connectivity as well as cost effective high bandwidth. Here, we describe how to maintain a redundant server with the configuration of an identical standby machine.

Making a bootable backup Debian system disk

Making a backup disk is usually an obvious task, but making the disk ready to boot so that it can immediately be used as a replacement can be tricky. Here I give a recipe for making a bootable disk that can be adapted to whatever block device you may be using as a backup disk. This could be an internal or external hard disk, a USB key, etc.

Installing the Alternative PHP Cache (APC)

The Alternative PHP Cache (APC) is a free, open, and robust framework for caching and optimizing PHP intermediate code. It's an PECL extension which shares the packaging and distribution system with its sister, PEAR.

Securing OpenSSH Server [Part 1]

I'm sure if you're responsible for any server connected to the Internet with a "real" IP address, or if you port forward :22 to a box on your LAN, your logs will contain a lot of failed SSH attempts. Here we'll look at some simple solutions.

Using GNU screen's multiuser feature for remote support

It is often a waste of time for the person on the other end of the phone to listen to the support guy without really seeing what goes on. Using GNU screen two people can watch what is happening, and we'll show how here

Past Years