Archive for ‘Ubuntu’ Category

Four little Security tools you should install in Ubuntu

datePosted on 14:41, June 12th, 2008 by Many Ayromlou

These should probably also be installed under other linux distros (might already be). But for the sake of completeness here they are:

1) denyhosts: great little package that’s already 98% configured after apt-get install process. It runs as a daemon and monitors /var/log/auth.log file for unsuccessful ssh logins and takes measures to ban the originating IP in /etc/hosts.deny. The cool part is that it does not need access to firewall or anything. Config file is /etc/denyhosts.conf and is pretty self explanatory. Ubuntu package is called “denyhosts” and needs python to work.

2) chkrootkit: another little gem that you install via apt-get install process. Ubuntu package is called “chkrootkit”. After install do “man chkrootkit” for more info, but the gist of it is that when run from command line it uses it’s own utils (located in /usr/lib/chkrootkit) to see if the system is infected.

3) rkhunter: this util is really a giant shell script, but it’s really nice and easy to use. Again use Ubuntu package name “rkhunter” to install it. It’s config file goes into /etc/rkhunter.conf and is pretty nicely setup by default. Next run “rkhunter –update” to update the discription/signature files from their website, then run “rkhunter –propupd” to grab a snapshot of the various files installed on your system. This will be used later, every time you run the command to see if anything has been changed by trojans/rootkits. Finally run “rkhunter –check” to actually run all the tests and see if you’re good to go. At the end if there are warnings check /var/log/rkhunter.log for a list of explanations about those warnings (suspicious filenames, hidden file locations, etc.)

4) ufw: The netfilter (firewall) interface for the rest of us. If you’re like me too dense to remember the iptables lingo, this might be for you. See this page for a good introduction.

Have fun and remember kids Vitamin U(buntu) is good for you.

Some Unix/Linux Coolness…..

datePosted on 17:53, June 11th, 2008 by Many Ayromlou

I think every admin must do something stupid atleast once….right? Well my brain fart happened during a System upgrade (another story I’ll be ranting about later). I made backups of all the files I thought were important (/home, /etc, /var/lib/mysql and other userdata we had on the system) and installed Ubuntu 8.04 on the server. Well, of course the second person who walks in to report problems, asks me about his personal crontab……DOOOHHHHH!!!! Yeah I forgot to back that sucker up. Now, the lucky part of all this is that I just deleted the old directories on that partition, I did not format it. So once I realized that, I figured why not just search for it. I mean I knew something about the file, why shouldn’t I be able to just search the raw disk and look for a specific string I know existed in the crontab file. Well guess what you can and it works like a charm….here is how:

grep --binary-files=text -10 "DO NOT EDIT THIS FILE" /dev/sda9 >/tmp/output

This command was issued on a ext3 partition and found the portion of the file I was looking for in about 20 minutes (the partition is about 450GB). The Unix utils are marvelous and just using a single grep command (above) allows me to look for the string “DO NOT DELETE THIS FILE” (which I knew for fact was in my deleted file) and output 10 lines of text above and below that line into a temporary file. Now that’s power kids, don’t try this on your Winblows machine :-).

I’m not quite done with all the install and optimization steps, but I thought I start this entry so that I won’t forget what I’ve done. There are quite a number of steps involved. I’ve installed it on a Asus 701 4GB model using a 16 GB class 6 SDHC card. Hopefully this will help others as well. You will need a physical copy of the Ubuntu 8.04 CD, so download it and burn it with your favorite burning software. You will also need a USB DVD/CD reader, I used a old plextor external drive I had lying around. So here we go:

  1. Get the USB DVD hooked up to one of the USB ports on the Eee, doesn’t matter which.
  2. Stick the boot CD in the DVD and turn everything on.
  3. Press ESC on the Eee during BIOS load to turn on custom boot screen.
  4. On the screen that follows choose your USB DVD drive and let Ubuntu boot.
  5. Get Ubuntu installed. Be mindful of the following:
    1. I did a custom partition scheme on /dev/sdc
    2. I created three partitions:
      1. /dev/sdc1 (8000 MB) is formatted ext3 and mounted on /
      2. /dev/sdc2 (8000 MB) is formatted ext3 and is not mounted on anything
      3. /dev/sdc3 (~430 MB) is formatted swap and is for swap
    3. IMPORTANT: On the screen that says “Ready to Install” you HAVE TO click the advanced… button and change the location of the bootloader to /dev/sdc (which is the SDHC card).
  6. Go and get coffee and/or have lunch/dinner. Writing to SD memory card is slow.
  7. IMPORTANT: When prompted to Reboot at the end….DON’T. Press Ctrl-Alt-F2 to switch to one of the virtual terminals (you can use Ctrl-Alt-F6 to get back) and sudo to change the file /boot/grub/menu.lst so that all lines refering to (hd1,0) or (hd2,0) are changed to (hd0,0). Save the file.
  8. IMPORTANT: sudo and edit the file /etc/rc.local and add this before “exit 0”: hal-set-property --udi $(hal-device | grep info.udi | grep storage_serial_USB2 | sed -e 's/.*org/\/org/' -e "s/'.*//") --key storage.removable --bool falseThis will prevent gnome-keyring to segfault. This happens when the Root device is on a removable media. Without this your gnome session will hang after the first reboot.
  9. Now you can switch back to graphical install screen (Ctrl-Alt-F6) and tell the installer to reboot.
  10. Hopefully you did not screw anything up :-) and you’ll get to the gnome desktop.
  11. More than likely you will get a dumb Battery error. Ignore it and move on. If your Network card is not working turn the machine off and do this:
    1. Disconnect the power cable
    2. Take off the Battery
    3. Put the Battery back on
    4. Plugin the power cable
    5. Boot up the machine and make sure you press ESC to get to boot menu…..choose Ubuntu.
  12. Hopefully now the Network is working (Wireless will not be working at this point….later).
  13. Do all the updates.
  14. Reboot.
  15. Note that ubuntu does not shut down the Eee properly. Shutting down your Eee will make the screen go entirely blank, but does not cut the power, and you will have to force it to fully shutdown by holding the power button.

    Sudo and add the following line:rmmod snd-hda-intelto the end of the /etc/default/halt script in order to make the Eee shutdown completely.

  16. Sudo and edit /etc/init.d/rc file, look for CONCURRENCY=none and change it to:
    CONCURRENCY=shellConcurrent boot allows Ubuntu to take full advantage of dual-core processors, as well as processors that with hyperthread or multithread, e.g. Pentium III or higher.
  17. To reduce drive writes sudo and set the ‘noatime’ or ‘relatime’ mount options in the /etc/fstab file. Look for the ‘defaults’ section and add ‘defaults,noatime’.
    UUID=57480a3f-e7db-4a5e-9fca-7df45f5a7d9d / ext2 defaults,noatime,errors=remount-ro 0 1
  18. To further reduce drive writes sudo and put data that is not needed on a tmpfs, which is written to memory. Below is an example:
    tmpfs /var/log tmpfs defaults 0 0
    tmpfs /tmp tmpfs defaults 0 0
    tmpfs /var/tmp tmpfs defaults 0 0
    tmpfs /var/log/apt tmpfs defaults 0 0

    You will lose the data in these areas after a reboot. Data in /tmp is not a big deal, though you may want logs longer than that.
  19. If you did create a swap partition and want to make sure the EeePC does not use it, you can sudo and add the following line to the end of the /etc/sysctl.conf file:
  20. You can also have a look at the AUFS (Another Union File System) instructions that will make your SDHC card read only (with options to unlock it from grub menu). If you choose this option you probably want to skip step 18 (or undo it by deleting the appropriate lines in /etc/fstab).
  21. Download this superscript into your account and change it’s permissions to execute it as regular user (The script will sudo when needed).
    chmod 755 ./
    DO NOT USE ON EEEPC900/901. Hopefully the site won’t go down but just in case it does here is the content of the script (use at your own risk):
    echo "************************************"
    echo "*** Ubuntu 8.04 LTS RiceeeyTweak ***"
    echo "*** version 0.5 ***"
    echo "*** ***"
    echo "************************************"
    echo "thanks to"
    echo "thanks to"
    echo "thanks to"
    echo "thanks to"
    echo "thanks to Bombela"
    echo "************************************"
    echo "** Gnome settings"
    echo "* Setting font sizes"
    gconftool-2 --set /apps/nautilus/preferences/desktop_font --type string "Sans 8"
    gconftool-2 --set /desktop/gnome/interface/document_font_name --type string "Sans 8"
    gconftool-2 --set /desktop/gnome/interface/font_name --type string "Sans 8"
    gconftool-2 --set /apps/metacity/general/titlebar_font --type string "Sans Bold 8"
    gconftool-2 --set /desktop/gnome/interface/monospace_font_name --type string "Monospace 8"
    echo "* Smaller toolbars icons only"
    gconftool-2 --set /desktop/gnome/interface/toolbar_style --type string "icons"
    echo "* Disabling UI sounds"
    gconftool-2 --set /desktop/gnome/sound/event_sounds --type bool 0
    echo "* Fixing mute key"
    gconftool-2 --set /desktop/gnome/sound/default_mixer_tracks --type list --list-type string "[PCM]"
    echo "* Fullscreen with -F11"
    gconftool-2 --set /apps/metacity/window_keybindings/toggle_fullscreen --type string "F11"
    echo "* Setting suspend when closing lid, blank screen"
    gconftool-2 --set /apps/gnome-power-manager/actions/sleep_type_battery --type string "suspend"
    gconftool-2 --set /apps/gnome-power-manager/actions/sleep_type_ac --type string "suspend"
    gconftool-2 --set /apps/gnome-power-manager/buttons/lid_battery --type string "suspend"
    gconftool-2 --set /apps/gnome-power-manager/buttons/lid_ac --type string "blank"
    gconftool-2 --set /apps/gnome-power-manager/timeout/sleep_computer_ac --type int 0
    gconftool-2 --set /apps/gnome-power-manager/timeout/sleep_computer_battery --type int 300
    gconftool-2 --set /apps/gnome-power-manager/timeout/sleep_display_ac --type int 300
    gconftool-2 --set /apps/gnome-power-manager/timeout/sleep_display_battery --type int 60
    echo "* Don't display battery warning"
    gconftool-2 --set /apps/gnome-power-manager/notify/low_capacity --type bool 0
    echo "* Unconstraining windows to the top of the screen"
    gconftool-2 --type bool --set /apps/compiz/plugins/move/allscreens/options/constrain_y 0
    echo "Gnome settings done."
    echo "** Installing ACPI modules"
    sudo apt-get update
    sudo apt-get install -y -f build-essential module-assistant eeepc-acpi-source --force-yes
    sudo m-a a-i eeepc-acpi
    echo "Done"
    echo "** Building Eee Overclocking Driver"
    wget ""
    tar xvzf eeepc-linux-0.2.tar.gz
    cd eeepc-linux/module
    sudo cp eee.ko /lib/modules/$(uname -r)/kernel/
    cd ../../
    echo "Done"
    echo "** Installing Modules and Driver"
    echo "*Unblacklisting i2c-i801 module"
    sed 's/blacklist i2c_i801/#blacklist i2c_i801/' blacklist.tmp
    sudo mv blacklist.tmp /etc/modprobe.d/blacklist
    sudo chown root:root /etc/modprobe.d/blacklist
    echo "Done"
    echo "*Updating /etc/modules"
    sudo cp /etc/modules modules.tmp
    sudo chmod 777 modules.tmp
    echo "eeepc-acpi" >> modules.tmp
    echo "i2c-i801" >> modules.tmp
    echo "eee" >> modules.tmp
    sudo chmod 644 modules.tmp
    sudo mv modules.tmp /etc/modules
    sudo chown root:root /etc/modules
    echo "Done"
    echo "**Installing Overclock Utilities"
    wget ""
    wget ""
    wget ""
    sudo mv /usr/bin
    sudo chown root:root /usr/bin/
    sudo chmod +x /usr/bin/
    sudo mv /usr/bin
    sudo chown root:root /usr/bin/
    sudo chmod +x /usr/bin/
    mv Overclock.desktop ~/Desktop
    echo "Done"
    echo "** Installing OSD"
    sudo dpkg -i eee-osd_2.1-0eeeXubuntu1_i386.deb
    echo "Done"
    echo "** Configuring Sound"
    echo "options snd-hda-intel model=3stack-dig" > snd-hda-intel.tmp
    sudo mv snd-hda-intel.tmp /etc/modprobe.d/snd-hda-intel
    sudo chown root:root /etc/modprobe.d/snd-hda-intel
    echo "Done"
    echo "** Fixing Shutdown Problem"
    sudo sed 's/#! \/bin\/sh/#! \/bin\/sh\n\n##Riceeey Eee shutdown fix\n\nrmmod snd-hda-intel\n/' halt.tmp
    sudo mv halt.tmp /etc/init.d/halt
    sudo chown root:root /etc/init.d/halt
    sudo chmod +x /etc/init.d/halt
    echo "Done"
    echo "** Adjusting Disk atime"
    sudo sed 's/relatime/noatime/' fstab.tmp
    sudo mv fstab.tmp /etc/fstab
    sudo chown root:root /etc/fstab
    echo "Done"
    echo "** Installing WLAN"
    wget ''
    tar zxf madwifi-hal-
    cd madwifi-hal-
    make clean
    sudo make install
    cd ../
    echo "Done"
    echo "All relevant drivers are now installed - hopefully!"
    echo "If you have any troubles please refer back to"
    echo "Please reboot now"
  22. Well, reboot and marvel at your handywork a bit.
  23. To squeeze even a bit more from the boot process sudo and edit /boot/grub/menu.lst and add the following to the end of the kernel lines (after the “quiet” and “splash” options) for Ubuntu:

Hardy Heron is out…..

datePosted on 14:34, April 24th, 2008 by Many Ayromlou

Heha…..Ubuntu’s newest release 8.04 LTS (aka. Hardy Heron) is out and ready for your consumption. This release is major in that it’s LTS. For those of you who don’t know LTS versions of Ubuntu are supported for 3 years for the desktop version and 5 years for server version. ALL FREE….so what are you waiting for…..head over to Ubuntu Land for more info or alternatively just go to the download page.

Okay so this all started with our users not being able to share files on our webserver. We use SSH only for upload/download and interactive access (ie: no ftp). Through trial and error we found out that the default umask (under OSX Server) for sftp uploaded files are 0033 (ie: rwxr–r–) and directories are 0022 (ie: rwxr-xr-x). This creates a problem when one user uploads a file and another user downloads/modifies and tries to re-upload it — they simply can’t because the group permissions are wrong.

If we were using ftp (which we are not) there are some solutions on the net that allow you to modify the startup parameters for the ftp server so that the default umask for all files is 0013 — which would allow a group of people to share/overwrite each others files — but we are using ssh only.

So we came up with two other solutions — a shared upload account and/or a cron job that would modify the group permissions on the website directory to allow group sharing. We went with the second solution and that’s where I ran into so many problems that I decided to create this post. You see normally Unix users know that spaces (and strange characters) in filenames are a no-no. Well that’s not true for Windows and Mac users, they use spaces and other odd characters in their filenames/folders all the time.

I started writing — what I thought was — a simple “for loop” script to go through the website folder and change the group permissions. Of course on the first try things didn’t work nicely because of spaces, so I started compensating for that and came up with:
for i in `find /Path/to/www -type d -print0 |xargs -0 -n 1`
This kinda worked, but the for loop would still split the lines when it hit spaces in filenames. I tried to mess around with it and gave up. After RTFMing a bit more I tried:
for i in `find /Path/to/www -type d -exec echo \"{}\" \;`
The thinking behind this was that the exec would echo the filenames quoted and it should work….well it didn’t, the for loop still split the input lines at spaces.

Finally after a latenight RTFM session (and lots of cursing), I think I’ve found the ultimate file handling loop statement:
find /Path/to/www -type d ! -perm -g=wx -print0 | while IFS= read -rd $'\0' filename
Okay so this version uses “while” rather than “for” but it works like a charm and chews through spaces and all other kinds of weird chars and creates a output stream that’s ready to be used by your choice of commands (chmod in my case).

After trimming and optimizing the script a bit, here is the final product:
# The following find will search for
# all files under /Path/to/www, that
# are NOT symlinks, and do NOT have
# group write permission. The list is
# "\0" seperated and the while portion
# will loop around this character and
# ignore everything else in the path.
find /Path/to/www ! -type l ! -perm -g=w -print0 | while IFS= read -rd $'\0' filename
# We've found a directory with no group
# write permission, so fix it.
if [ -d "$filename" ]then
chmod g+rwx "$filename"
# echo Directory changed
stat -l "$filename"
# We've found a file with no group
# write permission, so fix it.
if [ -f "$filename" ]then
chmod g+rw "$filename"
# echo File changed
stat -l "$filename"

Hopefully you’ll find this code (or portions of it) useful for your own day-to-day hack-and-slash solutions to annoying problems. Let me know if you come up with an even better solution :-)

One for the Penguins….

datePosted on 11:40, July 19th, 2007 by Many Ayromlou

Right on the heels of our story on reconstructor, a tool that allows you to create custom Ubuntu distribution CD’s, here is APTonCD for Ubuntu. It’s basically a graphical tool that allows you to create a CD of all the applications you’ve installed on your Ubuntu system since you installed the system initially. This used to be a pain, if you had to take care of a lab of machines. The drill was: install the OS, add all the required software and then created a master image, followed by multiple image installs.

Well thanks to APTonCD you don’t have to do this anymore. You can install the base CD/DVD (or make your own using reconstructor), add all the extra software from the repositories and then run APTonCD. At which point you can instruct it to create a CD/DVD of all the extra packages you’ve installed. The application can also create a CD/DVD of all the software on a specific repository or download all official Ubuntu repositories onto removable media. Very handy if you’re doing a install without net connection.

One more thing you can do with this is to get all the Ubuntu official updates/patches/fixes on a CD/DVD, so that you download them only once (if you’re installing mutiple machines). As usual the install is a simple one-liner:

sudo apt-get install aptoncd

So you like Ubuntu….

datePosted on 22:05, July 9th, 2007 by Many Ayromlou

Came across this the other day. Reconstructor is the new cool tool that allows you to grab you favourite ubuntu distro (desktop, alternate or server). Now you can have your Ubuntu and eat it too :-). It’s free and runs on linux (yeah there is a bit of a chicken and egg problem here). Well, I’m off to build Mabuntu (aka Many’s Ubuntu)…..hehehe.