Linux Administration

Top 7 uses for a shell account

1. Always-on IRC client

screen

irssi

#Control+A D

Using screen (a back-groundable terminal that can be easily resumed at any time) and irssi you can stay connected to IRC at all times, quietly sitting there… logging everything. 🙂

2. Website

Apart from everything else you can do with a shell account, having a personal website on the same machine as the programs and services you run can be very nifty.

Accessing your IRC logs via your website (so even at work/school/etc. you can check IRC quickly and easily) is one example.

3. Anonymous Browsing

Want a secure, anonymous way to browse? On Linux:

ssh user@server -D 9050

Will create a SOCKS port (9050) on your local machine. Point firefox/whatever at localhost:9050 (SOCKS) and browse away!

Windows clients support this too.

4. File Storage

Obviously I’m not saying you should back up your home harddrive to a shell, but doing minor backups can be very useful.

Got a few MBs of source code you want to have backed-up offsite? Why not put it on your shell?

Been writing some papers that are more important than a dead hard drive? Why not back them up every now and then?

scp -r /path/to/folder [email protected]:~

Will copy all files/folders in /path/to/folder to your home directory on shell.com. Using ssh keys for password-less authentication allows you to have a simple, one-line backup script.

5. E-Mail, FTP and other network services

Behind a restrictive connection? If you have outbound access to port 22 (you can always request other ssh ports be used on st0rage.org ;)) you can access any port on that machine.

Check email, use ftp/etc, and choose whether it stays on the shell or if you download it for your machine.

6. Encryption

How can we not mention encryption?

How would you like to be able to store sensitive information remotely and encrypted? Keeping a list of passwords or financial information encrypted with gpg is easy and effective.

gpg –gen-key

#Fill out info, accept defaults.

#Select (O)kay instead of (Q)uit to enter your passphrase

#This can take some time. A lot.

gpg -e file-to-encrypt

#enter your name from the step above.

#push enter again to exit

gpg -d file-to-encrypt.gpg

#contents will be displayed on the screen

gpg -d file-to-encrypt.gpg > file-to-encrypt

#will put the contents in a file

Google will give you some more advanced stuff with gpg, have faith the above is the hardest part. 😛

7. Scheduled Tasks

Cron is a powerful tool. With it, you can run commands at pre-determined re-occurring intervals.

For example, want to email yourself a reminder a week in advance for certain people’s birthdays? Easy!

crontab -e

0 0 11 3 * mutt -s “Birthday Reminder!” [email protected] < ~/reminders/julie.txt
0 0 26 1 * mutt -s “Birthday Reminder!” [email protected] < ~/reminders/sarah.txt

mkdir ~/reminders

echo “Julie’s birthday is on 3-11-`date +%Y`” > ~/reminders/julie.txt

echo “Sarah’s birthday is on 1-26-`date +%Y`” > ~/reminders/sarah.txt

Already use the shell for screen+irssi? Why not email yourself a daily log of what was said (or lines containing your name)?

58 23 * * * cat ~/irclogs/*`date +%F`* | grep nickname > ~/daily.log

59 23 * * * mutt -s “IRC Log” [email protected] -i ~/daily.log

Ignoring snoopy logs with logcheck

snoppy is an awesome tool available on the debian archives. It allows you to see what commands your users have run (by default logs to /var/log/auth.log). It acts like a beefed up .bash_history that users cannot disable/delete/etc.

logcheck scans your logs for weird things, and emails them to you.

By default, these two programs do not get along. snoopy entries show up in logcheck’s emails (which can get very, very big). This sort of defeats the purpose of logcheck, since you get sent massive emails with the important stuff hidden between giant blocks of snoopy logs.

To disable this

echo ‘^w{3} [ :0-9]{11} [._[:alnum:]-]+ snoopy.*’ > /etc/logcheck/violations.ignore.d/snoopy

chmod 644 /etc/logcheck/violations.ignore.d/snoopy

ln -s /etc/logcheck/violations.ignore.d/snoopy /etc/logcheck/ignore.d.server/snoopy

Now test it

sudo -u logcheck logcheck

To make more logcheck ignore rules, test your file(s) by:

egrep -f logcheck-file /var/log/auth.log

It will display only what will be ignored.

Make sure the file(s) are 644 (rw r r) or logcheck won’t be able to ignore what’s in the file.

Connect to a Running X Session Remotely

From the computer you want to view the remote X session:

ssh root@computer2 -L 5900:localhost:5900

If you can only connect to a linux gateway, you can substitute localhost with the internal IP address of the machine you want to vnc to.

ssh root@computer2 -L 5900:192.168.1.100:5900

On computer2 do the following.

This does not need to be done as root, but you’ll need to be the actual user running the X session if you log in as a regular user. On ubuntu/debian you can use apt-get install x11vnc.

x11vnc -display :0 -passwd password

If it complains that it cannot connect to :0, try this

x11vnc -auth /var/lib/gdm/:0.Xauth -passwd password

Note that using the :0.Xauth method will work if X is just running at the login screen (so you could connect and log into X as a user).

Now, from computer1, do

vncviewer localhost

This is very useful, but make sure you use a password if port 5900 is open on computer2.

Linux DVR/MythTV Box

There’s a lot of information out there for building a MythTV box out there. I figured I’d throw in my two cents, and hopefully help people that encountered some of the same problems I did.

First, the hardware.

I picked a good case; it’s a low profile case (so you need low profile cards!). It was pretty cheap, looks nice, and came with a power supply. $20 not including shipping.

http://www.svc.com/ycc-s27.html ($40 with shipping)

Front of Case

Since I was on a budget, I picked up a cheap Motherboard and a low power CPU. I had to purchase a Heatsink/Fan elsewhere since the one that came with the CPU would not fit on the motherboard and had a non-standard 4-pin fan power cable.

AMD Semperon LE-1150 Sparta 2.0Ghz 45W CPU ($40~)

BioStar AM2 Motherboard ($40~)

Combined, these were $80. While I might have liked more speed for this price, I felt the low power consumption was worth it.

2GB – 2x1GB DDR2 667 ($40)

A 60GB SATA Laptop drive (had it laying around) performs beautifully. It’s resonsive, and best of all whisper quiet. It’s not much space, but I have a seperate computer with nearly 500GB of free space that I’ll probably be using for NFS.

60GB SATA Laptop Drive ($45)

The PVR-150 (150MCE-LP) capture card performs well; it has a built-in MPEG encoder which takes stress off the CPU (very useful in this case). New this card is around $75, but you can get one off ebay for $20+ less if you feel cheap.

Haupage PVR-150MCE-LP ($75)

This card had trouble dealing with the splitters I was using (900mhz and 1100mhz). Removing the 900mhz helped. My cable was being run from the 3rd floor to the basement, which might have been a problem too (no other capture card I’ve messed with had this trouble, not sure if it’s something with this card or just a weird quirk my card had).

Now, I needed a card with S-Video or RCA out. I ended up getting a GeForce 4 MX440 64MB. Ebay for this; new low profile video cards are quite expensive. This isn’t a major performance card, but it’s low profile (mine had only a heatsink, so even less noise). It’ll do fine for TV watching, and some light game plaing.

GeForce 4 MX440 64MB Low Profile ($20)

Top of PVR

The last thing this setup needed was a remote control. An ATI Wonder (supported by Linux) was cheap on ebay.

ATI Wonder Remote ($10)

ATI Remote

To get the remote working in Linux isn’t very hard (although it would be nice if lirc would auto-detect controllers). The information is available on mythtv’s website here: http://www.mythtv.org/wiki/index.php/ATI_Remote_Wonder

One important suggestion is to disable the lirc_atiusb module, by adding the following in /etc/modprobe.d/blacklist

blacklist lirc_atiusb

Add the correct module in /etc/modules

ati_remote

Reboot; lircd will no longer hang and your remote should work. 🙂

This setup plays and records video flawlessly (I don’t notice anything while recording and watching at the same time). I play emulators on it (N64, PSX, etc.) with USB-> N64/PSX adapters and definitly think this is worth it. It’s totally silent.

For only $300 including shipping, this isn’t too bad. It could definitly use a larger drive, but personally I like the idea of a central server to store my library (if only to keep down on the noise here in my TV room!).

Security-Related Bug in Ubuntu 7.10

Create a ‘Shared’ folder in /home/username
Create a ‘Shared 192.168.1.100’ folder in /home/username

Right click ‘Shared’ and go to ‘Share Folder’. Add a NFS share with no allowed IP addresses.
Right click ‘Shared 192.168.1.100’. Add a NFS share with no allowed IP addresses.

Go to ‘System’ – ‘Administration’ – ‘Shared Folders’

You will now see only one share, ‘/home/will/Shared’, that allows 192.168.1.100 to access this folder.

This does change the /etc/exports file, and I believe it may be a security vulnerability.

Doing this with a folder with three words (two spaces) adds each word after the space to hosts allowed to access (read-only) the share.

Seems like it would be important for users to share a folder with spaces in it, especially for everyday desktop use.

st0rage.org outages

I figured I’d post some information here about recent outages.

I plan on moving st0rage.org over to a new server soon, and there are going to be some changes (user quotas for the first time ver, yay!). I’ll also be offering a paid service, along with an increased free service.
It’s been a lot of work, and has caused some downtime (usually less than 30 minutes). People using irssi I’m sure havn’t been happy. 😉

Sorry about all the trouble, things will be much nicer soon (moving to a much more stable connection).

Lock Screen on Laptop Lid Close

This used to work on one of my old laptops, but ever since I started buying Dell laptops the screen wouldn’t lock when I closed the laptop lid.

To have your screen be locked when you close your lid, open a Termina and run gconf-editor

/apps

/gnome-power-manager

/lock

[x] blank_screen

Make sure that ‘Blank Screen’ is selected in Power Management Properties.

Vostro 1400 Wireless Problems (ipw3945)

A problem with Debian and Ubuntu (and possibly other distros) is that the ipw3945 module fails after a large amount of activity.

The solution is very simple, but it took a lot of work to find it.

Edit /etc/modules and put the following in there

iwl3945

Edit /etc/modprobe.d/blacklist and add

blacklist ipw3945

That’ll do it. The iwl3945 module performs just as well on sftp transfers, and I havn’t noticed any problems with it.

Windows Mobile 2003

I’ve recently been trying to get my hands on a H4100 series iPAQ to put Linux on. The one I bought on ebay turned out to be the wrong model, but in the meantime I’ve been using Windows Mobile 2003.

My biggest complaint is the backwards way you have to switch between program; aparently you need to open up the Memory manager and ‘activate’ programs.

Frequent wireless drops are common too. I installed PortaPuTTy on the PDA, to use screen and irssi on the go. Wireless networks don’t seem to like the iPAQ however. Even with a strong single I get dropped fairly often.

The lack of multimedia support is very noticable. You are unable to listen to Icecast streams with WMP, nor can you play anything but WMV movies.

The Pro version I’m using has remote desktop support for Windows clients, which is nice (although mostly unusable at such a low resolution compared to the other machine).

You rely on the touchscreen to interface with the keyboard. Unfortuantely, the keyboard cannot be moved around the screen so it covers up some applications (like PortaPutty) so you cannot see what you are typing. This is a very big annoyance with me.

There is not much open source software ported to the iPAQ for Windows; many applications either don’t work (well or at all) or require payment after 30 days.

Windows Mobile 2003 has been a horrible experience, and I look forward to being able to use mplayer and firefox on my new H4155 iPAQ.

I look forward to trying Linux on my new iPAQ; after I do, I”ll be sure to post about my experience there.

Debian/Ubuntu Apache2 + PHP5 + Mysql + SSL

First let’s grab the packages we need for a basic LAMP setup:

apt-get install apache2 php5-cgi libapache2-mod-php5 mysql-server php5-mysql php5-common apache2.2-common ssl-cert

If using Ubuntu, be sure to install libapache2-mod-auth-mysql

apache2.2-common and ssl-cert are needed to generate a ssl cert

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf apache.crt
mkdir /etc/apache2/ssl
mv apache.crt /etc/apache2/ssl

cd /etc/apache2/mods-enabled
ln -s ../mods-available/ssl.conf ssl.conf
ln -s ../mods-available/ssl.load ssl.load

Make sure /etc/apache2/ports.conf is listening on 443

Listen *:443

In your 000-default file in /etc/apache2/sites-enabled (or where ever your VirtualHosts are managed) Change:

NameVirtualHost *
<VirtualHost *>

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>

Add a site for SSL:

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/wwws
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/wwws>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>

/etc/init.d/apache2 restart

By default, the User/group is www-data so make sure all your website files are owned by this user/group.

chown -R www-data:www-data /var/wwws/

Will accomplish this

All website files should be located in /var/www and /var/wwws (you can choose different directories, of course, like /home/www but make sure you change the config)