Chris’ Blog

I’m not sure what I can really say to that, other than n00b!

After my recent break in I have looked into ways of protecting SSH and my server resources. I employ fail2ban on my main server, it has the resources to run such a programme - my Linksys NSLU2’s however do not. The solution is to use iptables to limit the number of connections any host can make in a given time frame. I wrote up a quick how to on this over at my wiki. Enjoy.

You can tell Linux to respond to broadcast pings by running this snippet from the console.

$ echo 0 | sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Edit /etc/sysctl.conf to set the option permanently.

I have been playing with packaging for Ubuntu and Debian for a while now and I have one fairly useful package called rsnapshot-scripts which contains a bunch of scripts for use with rsnapshot. It allows you to backup other data sources like MySQL, DPKG and Subversion.

This is a really ugly sed one liner that configures grub how I like it.

$ sudo sed --in-place 's/#\(hiddenmenu\)/\1/;s/^\(timeout[ \t]*\)[0-9]*/\12/;s/^\(# lock.*=\)false$/\1true/' /boot/grub/menu.lst
$ _GPASSWD=$(read -s -p "Enter Grub Password (note type carefully): " _GPASSWD; echo $_GPASSWD | mkpasswd --hash=md5 --stdin); echo; sudo sed --in-place "s/# password topsecret/password --md5 $_GPASSWD/" /boot/grub/menu.lst; unset _GPASSWD
$ sudo update-grub

I keep meaning to document this, the installation procedure for my MCEUSB2 remote control with lirc under Ubuntu, so here we go.

1. $ sudo aptitude install lirc lirc-modules-source module-assistant debconf-utils

2. $ wget http://static.cs278.org/conf/debconf/ubuntu-704_lirc-modules-source -O- | sudo debconf-set-selections
   $ sudo dpkg-reconfigure lirc-modules-source

   This was needed before but is now automated:
   Select mceusb2 and then No, and chooseInstall the package maintainer’s version if the option appears.

3. $ sudo sed 's/MODULES=""/MODULES="lirc_mceusb2"/' /etc/lirc/hardware.conf --in-place

4. $ sudo m-a update,prepare
   $ sudo rm /usr/src/lirc*deb
   $ sudo m-a clean lirc
   $ sudo m-a a-i lirc
   $ sudo depmod -a

5. $ wget "https://help.ubuntu.com/community/Install_Lirc_Feisty?action=AttachFile&do=get&target=lircd.conf.mceusb" -O- | sudo tee /etc/lirc/lircd.conf

6. $ sudo modprobe lirc_mceusb2
   $ sudo /etc/init.d/lirc start

Sources:

• https://help.ubuntu.com/community/Install_Lirc_Feisty
• http://gentoo-wiki.com/HOWTO_LIRC
• http://wiki.videolan.org/How_to_Use_Lirc

gconftool-2 --type string --set /apps/panel/applets/clock_screen0/prefs/format "12-hour"
gconftool-2 --type bool --set /apps/panel/applets/clock_screen0/prefs/show_date true
gconftool-2 --type bool --set /apps/panel/applets/clock_screen0/prefs/show_seconds true

My laptop and desktop are not always connected to the same network as my server and when this is the case its most likely I do not have control of the network or want the information passed over the internet in plain text. So this is my answer to remote munin nodes, using the remote forwarding feature of SSH.

1. Install Munin Node:

   $ sudo aptitude install munin-node

2. Create the upstart event file:

   $ sudo -e /etc/event.d/munin-tunnel

   Write in the following text:

   start on runlevel 2
   start on runlevel 3
   
   stop on runlevel 0
   stop on runlevel 1
   stop on runlevel 4
   stop on runlevel 5
   stop on runlevel 6
   
   exec sudo -u munin ssh -N munin-reporter@munin-server.example.com
   respawn

3. Generate a SSH key for munin:

   You do not want to set a password on the SSH key

   $ sudo sudo -H -u munin /bin/bash
   $ mkdir /var/lib/munin/.ssh/
   $ cd /var/lib/munin/.ssh
   $ ssh-keygen -b 1024 -C munin@`hostname -f` -t rsa
   $ exit

4. Edit the SSH configuration for the munin user:

   $ sudo -e /var/lib/munin/.ssh/config
   $ sudo chown munin:munin /var/lib/munin/.ssh/config

   Insert:

   Host munin-server.example.com
   RemoteForward some-port-number localhost:4949

5. Now you need to do some leg work on your server first create a user so that the SSH tunnel can be created, I used munin-reporter. Then you need to copy the munin users public key on your client into the ~munin-reporter/.ssh/authorized_keys file on your munin server. I will leave this as a user task, set up how you like on your server. I would recommend prepending the munin public key with the following in the authorized_keys file to restrict what the user can do.

   no-pty,no-X11-forwarding,no-agent-forwarding

6. Again, on your server, we need to tell munin where to get the data about the remote host from, using the snippet below:

   sudo nano /etc/munin/munin.conf

   [node.example.com]
   address 127.0.0.1
   port some-port-number
   use_node_name yes
   

7. Next we need to test the connection and verify the host signature so, that it doesn’t need to be done again.

   $ sudo sudo -u munin ssh munin-reporter@munin-server.example.com -v

   Check for any errors etc. if you spot a problem retrace your steps.

8. All that is left is to start the upstart event and wait for some pretty graphs

   sudo start munin-tunnel

So, at home currently rather than at university, this poses a problem when trying to connect to some resources, such as internal machines and private resources. I know Network Manager in Ubuntu has VPN support but I had never tried it out, so, I gave it a go. Issue the following command to install the required package, provides Microsoft VPN support to Network Manager.

$ sudo aptitude install network-manager-pptp

Now you can load my configuration by downloading the configuration file and click on the network manager applet, find the VPN Connections sub menu and hit Configure VPN…. Hit Forward, from the list choose PPTP tunnel, press Forward again and now press Import Saved Configuration…. Find the configuration file I told you to download and select it, now press Forward and then click Apply. Bingo!

Quick tip:

gconftool-2 --type string --set /desktop/gnome/volume_manager/autoplay_vcd_command "vlc %m"
gconftool-2 --type string --set /desktop/gnome/volume_manager/autoplay_dvd_command "vlc %m"

No more crappy totem spawning when you insert a DVD or VCD, but instead the pleasure of VLC.