UbuntuWrangling
From Unconscious
Throughout my struggle to understand linux and find a version and flavor that I find useful, I've done little in the way of documenting my labors.
Here I attempt, on a continuing basis, to pull it all together.
Mounting USB HDDs
Virtual Consoles
Checking network settings
ifconfig
Local User Customizations
Adventures in Ubuntu
Securing Apache2
sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
-- ScottHerman - 15 Sep 2007
The above procedure generated a certificate that is good for about a month. Here's something a little better, from the ubuntu 7.04 release documentation...
HTTPS Configuration
The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL encryption, the https:// prefix is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar.
The mod_ssl module is available in apache2-common package. If you have installed this package, you can run the following command from a terminal prompt to enable the mod_ssl module:
sudo a2enmod ssl
Certificates and Security
To set up your secure server, use public key cryptography to create a public and private key pair. In most cases, you send your certificate request (including your public key), proof of your company's identity, and payment to a Certificate Authority (CA). The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server.
Alternatively, you can create your own self-signed certificate. Note, however, that self-signed certificates should not be used in most production environments. Self-signed certificates are not automatically accepted by a user's browser. Users are prompted by the browser to accept the certificate and create the secure connection.
Once you have a self-signed certificate or a signed certificate from the CA of your choice, you need to install it on your secure server. Types of Certificates
You need a key and a certificate to operate your secure server, which means that you can either generate a self-signed certificate or purchase a CA-signed certificate. A CA-signed certificate provides two important capabilities for your server:
- Browsers (usually) automatically recognize the certificate and allow a secure connection to be made without prompting the user.
- When a CA issues a signed certificate, it is guaranteeing the identity of the organization that is providing the web pages to the browser.
Most Web browsers that support SSL have a list of CAs whose certificates they automatically accept. If a browser encounters a certificate whose authorizing CA is not in the list, the browser asks the user to either accept or decline the connection.
You can generate a self-signed certificate for your secure server, but be aware that a self-signed certificate does not provide the same functionality as a CA-signed certificate. A self-signed certificate is not automatically recognized by most Web browsers, and a self-signed certificate does not provide any guarantee concerning the identity of the organization that is providing the website. A CA-signed certificate provides both of these important capabilities for a secure server. The process of getting a certificate from a CA is fairly easy. A quick overview is as follows:
- Create a private and public encryption key pair.
- Create a certificate request based on the public key. The certificate request contains information about your server and the company hosting it.
- Send the certificate request, along with documents proving your identity, to a CA. We cannot tell you which certificate authority to choose. Your decision may be based on your past experiences, or on the experiences of your friends or colleagues, or purely on monetary factors.
Once you have decided upon a CA, you need to follow the instructions they provide on how to obtain a certificate from them. - When the CA is satisfied that you are indeed who you claim to be, they send you a digital certificate.
- Install this certificate on your secure server, and begin handling secure transactions.
Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key. Generating a Certificate Signing Request (CSR)
To generate the Certificate Signing Request (CSR), you should create your own key. You can run the following command from a terminal prompt to create the key:
openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus .....................++++++ .................++++++ unable to write 'random state' e is 65537 (0x10001) Enter pass phrase for server.key:
You can now enter your passphrase. For best security, it should at least contain eight characters. The minimum length when specifying -des3 is four characters. It should include numbers and/or punctuation and not be a word in a dictionary. Also remember that your passphrase is case-sensitive.
Re-type the passphrase to verify. Once you have re-typed it correctly, the server key is generated and stored in server.key file.
Warning
You can also run your secure web server without a passphrase. This is convenient because you will not need to enter the passphrase every time you start your secure web server. But it is highly insecure and a compromise of the key means a compromise of the server as well.
In any case, you can choose to run your secure web server without a passphrase by leaving out the -des3 switch in the generation phase or by issuing the following command at a terminal prompt:
openssl rsa -in server.key -out server.key.insecure
Once you run the above command, the insecure key will be stored in the server.key.insecure file. You can use this file to generate the CSR without passphrase.
To create the CSR, run the following command at a terminal prompt:
openssl req -new -key server.key -out server.csr
It will prompt you enter the passphrase. If you enter the correct passphrase, it will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file. You can submit this CSR file to a CA for processing. The CAN will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR. Creating a Self-Signed Certificate
To create the self-signed certificate, run the following command at a terminal prompt:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The above command will prompt you to enter the passphrase. Once you enter the correct passphrase, your certificate will be created and it will be stored in the server.crt file.
Warning
If your secure server is to be used in a production environment, you probably need a CA-signed certificate. It is not recommended to use self-signed certificate.
Installing the Certificate
You can install the key file server.key and certificate file server.crt or the certificate file issued by your CA by running following commands at a terminal prompt:
sudo cp server.crt /etc/ssl/certs sudo cp server.key /etc/ssl/private
You should add the following four lines to the /etc/apache2/sites-available/default file or the configuration file for your secure virtual host. You should place them in the VirtualHost section. They should be placed under the DocumentRoot line:
SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key
I have my https configuration in /etc/apache2/sites-enabled/ssl. Here's what it looks like.
NameVirtualHost *:443
<VirtualHost *:443>
ServerName unconxio.us
ServerAdmin unconscious@unconxio.us
SSLEngine On
# SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
DocumentRoot /var/www/secured/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/secured/>
Options Indexes FollowSymLinks MultiViews
# AllowOverride None
# Order allow,deny
AuthType Basic
AuthName "UnconsciousOnes"
AuthUserFile /var/local/HTSecurity/HTPassWd
Require valid-user
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/secured/
<Directory "/usr/lib/cgi-bin/secured/">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
# Order allow,deny
AuthType Basic
AuthName "UnconsciousOnes"
AuthUserFile /var/local/HTSecurity/HTPassWd
Require valid-user
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>
SSLPassPhraseDialog exec:/some/private/executable/passphrase/script
-- ScottHerman - 21 Dec 2007
Pass Phrase Dialogue
When I first set this up and got it all working, it would run fine for a while. However, when apache2 went down and the init daemon would attempt to restart it, it would fail because it was waiting with an interactive prompt, on the console, for the pass phrase. Since it did not happen often, I though it anomalous and did not try to address it. After it happened a few times, however, I decided that enough was enough.
I did some investigation, and discovered the SSLPassPhraseDialog directive. This directive specifies an executable script which writes the pass phrase to stdout. The directive may not be specified within the <nop>VirtualHost section of the configuration. An example dialog file is given below. In the actual file "the correct passphrase" is replaced by the actual passphrase.
#!/bin/sh echo "the correct passphrase"
-- ScottHerman - 09 Jan 2008
Black List
Found this excellent article, and this one as well to go along with it.
Upgrade to Ubuntu 7.10
Networking hosed.
Out of the box, or CD, as it were, Ubuntu 7.10 comes with IP v6 enabled. However, it doesn't work, at least not on labmed.ynhh.org. To disable it I had to edit /etc/modprobe.d/aliases and change the line that said alias net -pf -10 ipv6 to alias net -pf -10 off.
For good measure, I also modified firefox, by browsing about:config, filtering on ipv6, and enabling network.dns.disableIPv6.
-- ScottHerman - 08 Nov 2007
phpMyAdmin
I dunno if this had anything to do with the upgrade or whether it's just one of those all too familiar linux scenarios. things have changed, and then other things stop working. phpMyAdmin runs on the server, which didn't get upgraded, so I'm not sure how all this correlates. Maybe its just a case of superstitious dancing (see BF Skinner). Anyhow it did.
Fortunately you can remove and re-install phpmyadmin without trashing MySQL.
sudo apt-get --purge remove phpmyadmin sudo apt-get install phpmyadmin
Restart your server, and you're done.
Oh and while I was at it, I secured it, by moving the phpmyadmin link (yes. Its just a symbolic link to /usr/share/phpmyadmin) to the https:// root. Same old dribbly password.
-- ScottHerman - 15 Nov 2007
Setting up WebDAV
I've already set up a SVN (subversion) server. I'll document that later. Adding !WebDAV is easy...
sudo mkdir /var/www/webDAV
sudo chown www-data:www-data /var/www/webDAV
sudo chmod 775 /var/www/webDAV
edit the file /etc/apache2/mods-enabled/dav_fs.conf
sudo vi /etc/apache2/mods-enabled/dav_fs.conf
here's what mine looks like
DAVLockDB /var/lock/apache2/DAVLock DAVMinTimeout 600
<Location /webDAV/ > DAV on AuthName "WebDAV Login" AuthType Basic AuthUserFile /etc/apache2/dav_svn.passwd ## Limit access for security <LimitExcept GET HEAD OPTIONS POST> require valid-user </LimitExcept> Order allow,deny Allow from all </Location>
Note that I used the same password file for svn and WebDAV.
Restart apache2, and publish your calendar. Note that it's a ICS calendar not a DAV calendar.
References
- http://www.digital-arcanist.com/sanctum/article.php?story=20070427101250622
- http://www.ubuntugeek.com/howto-setup-a-remote-calendar-using-webdav-with-mozilla-sunbird.html
- http://www.vetula.com/blog-radio/stories/2002/11/19/publishingEventsInMozilla.html
- http://www.mozilla.org/projects/calendar/faq.html#remote_server
-- ScottHerman - 15 Dec 2007
sysctl
Do man sysctl ... very interesting.
The system may fail to bind an IPv4 socket to a given port, because the IPv6 socket has already been bound to this port. This is the default on Linux for sockets listening on any address (:: and 0.0.0.0), as an IPv6 socket listening on any address (::) also accepts IPv4 connections.
The default behaviour can be changed by setting the net.ipv6.bindv6only sysctl to 1 so IPv6 sockets allow only IPv6 connections, and IPv6 and IPv4 sockets can be bound to the same port.
-- ScottHerman - 12 Mar 2008
How much memory is in my system?
This is one of those important questions that I've never known how to ask. =free -m= gives you the basic information.
Here's an example:
scott@herman:~/Code/Java$ free -m
total used free shared buffers cached
Mem: 2019 1961 57 0 100 593
-/+ buffers/cache: 1268 751
Swap: 3121 655 2466
scott@herman:~/Code/Java$
If you like too much information, here is another tool:
scott@herman:~/Code/Java$ sudo lshw -C memory
*-firmware
description: BIOS
vendor: Compaq
physical id: 1
version: 686O2 v2.21 (05/28/2003)
size: 128KB
capacity: 448KB
capabilities: pci pnp apm upgrade shadowing cdboot bootselect edd int13floppytoshiba int13floppy360 int13floppy1200
int13floppy720 int5printscreen int9keyboard int14serial int17printer acpi usb agp ls120boot zipboot biosbootspecification netboot
*-cache:0
description: L1 cache
physical id: 6
slot: Internal L1 Cache
size: 8KB
capacity: 20KB
capabilities: burst internal write-back data
*-cache:1
description: L2 cache
physical id: 7
slot: Cache L2
size: 512KB
capacity: 4MB
capabilities: burst internal write-back data
*-memory:0
description: System Memory
physical id: 22
slot: System board or motherboard
capacity: 2GB
*-bank:0
description: DIMM SDRAM Synchronous 266 MHz (3.8 ns)
product: 16VDDT12864AY335F2
vendor: JEDEC ID:2C FF FF FF FF FF FF FF
physical id: 0
serial: 7C2618D3
slot: DIMM1
size: 1GB
width: 64 bits
clock: 266MHz (3.8ns)
*-bank:1
description: DIMM SDRAM Synchronous 266 MHz (3.8 ns)
product: 16VDDT12864AY335F2
vendor: JEDEC ID:2C FF FF FF FF FF FF FF
physical id: 1
serial: 722618D3
slot: DIMM2
size: 1GB
width: 64 bits
clock: 266MHz (3.8ns)
*-memory:1 UNCLAIMED
description: Flash Memory
physical id: 23
slot: System board or motherboard
capacity: 512KB
*-bank UNCLAIMED
description: Chip FLASH Non-volatile
physical id: 0
slot: SYSTEM ROM
size: 512KB
width: 4 bits
*-memory:2 UNCLAIMED
physical id: 0
*-memory:3 UNCLAIMED
physical id: 2
scott@herman:~/Code/Java$
What kind of CPU am I running?
Another fairly common question concerns the CPU characteristics. That information is contained in /proc/cpuinfo. TO look at it, you can use less. ie; less /proc/cpuinfo. Here's an example:
scott@herman:~/Code/Java/Java104$ cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 15 model : 2 model name : Intel(R) Pentium(R) 4 CPU 2.53GHz stepping : 7 cpu MHz : 2524.986 cache size : 512 KB fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 2 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe up cid xtpr bogomips : 5054.57 clflush size : 64
scott@herman:~/Code/Java/Java104$
Boot Failure
This morning, after last night's power outage, my D7000, running 8.10, failed to boot. There were all kinds of nasty looking error messages.the first one came from the BIOS on the eSATA interface card. After a while , that gave way to a initramfs prompt.
What was really happening was that the kernel loader was not waiting long enough for the eSATA disk to initialize on power up. I had to add a rootdelay=90 option to the kernel loader. It seems to be ok now.
-- Main.ScottHerman - 14 Mar 2008
