Category Archives: Linux

Ubuntu: configure general proxy usage

In order to let an Ubuntu system access the net via a proxy, edit two files and you're done.

/etc/environment:

http_proxy="http://:/"
https_proxy="http://:/"
ftp_proxy="http://:/"
no_proxy="localhost,127.0.0.1,::1

/etc/apt/apt.conf.d/90_proxy.conf:

Acquire {
  HTTP::proxy "http://:";
  HTTPS::proxy "http://:";
}

Update ’19: Get snmpd to log more silently

This is an update to the article from 2009 regarding quieting down snmpd - this time in recent Ubuntu LTS 18.04. The issue at hand is the intense chattyness of snmpd to syslog.

Due to the complete shift to systemd, files in /etc/default are becoming disregarded. Therefore customisations have to be made to /etc/systemd/system. Two steps are neccessary:

Create a symlink for snmpd in /etc/systemd:

ln -s /lib/systemd/system/snmpd.service /etc/systemd/system

Edit that file and change:

ExecStart=/usr/sbin/snmpd -Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -f

to

ExecStart=/usr/sbin/snmpd -LS4d -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux,mteTrigger,mteTriggerConf -f

Then run

systemctl daemon-reload && service snmpd restart

Now snmpd should be calmed down.

Ubuntu: enable MIBs in snmp tools

Lately I ran into some issues using snmp tools, e.g.:

snmpwalk -v2c -c public ${host} test

I received errors like:

Unknown Object Identifier (Sub-id not found: (top) -> test)

This is because MIBs are not installed in Ubuntu by default. To install them use the follwing line:

apt-get install snmp-mibs-downloader

Also comment line 4 of /etc/snmp/snmp.conf so it shows:

# mibs:

Hope that helps someone.

Resize KVM guest’s raw volumes

After running virtual machines in KVM for some time, it might come in handy to be able to resize a KVM guest's raw volumes. In order to do so you first have to shutdown your VM:

virsh destroy <guestname>

In order to add an additional 2 gig to your respective machine, you do the following:

qemu-img resize <diskname>.img +2G

Now restart the machine:

virsh start <guestname>

Then use fdisk inside the guest to make use of the new space:

fdisk /dev/vda

There, you delete the respective partition and immediately recreate it - with more space. Now restart the machine in order to let the kernel make note of the changes:

reboot

After a final resize you're able to make use of the sweet new space:

resize2fs /dev/vda1

Voila!

Cleanup Docker Containers

In order to cleanup docker containers from time to time just fire the following:

docker system prune -a 

Enable SMTP for PHP on Ubuntu

Many php-based web application are using php's smtp function. Unfortunately, Ubuntu's php default setup disregards the installation of packages necessary for using smtp. The following command line takes care of their installation:

aptitude install php-net-smtp

Squid 3.x config with NCSA Authentication in Ubuntu 16.04

Here comes an update to the old article on how to configure Squid. The new Squid 3.x which is available in Ubuntu 16.04 requires some different configuration.

Installation is easy. Just fire the following line:

apt install squid

The configuation file to edit is still located at /etc/squid/squid.conf. Make a backup of the original file and have to new one contain the following lines:

http_port 31280

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 1
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off

acl auth proxy_auth REQUIRED
acl localhost src 127.0.0.0/8

http_access allow auth
http_access allow localhost
http_access deny all

cache deny all

forwarded_for off

request_header_access Via deny all 

In order to have users show some identification a password file with according hashes has to be set:

htpasswd -c /etc/squid/passwd USERNAME
chmod 400 /etc/squid/passwd && chown proxy /etc/squid/passwd

That should do it. Squid 3 will ask users for ID and password and proxy your requests.

Asterisk: easily forward Sipgate-calls while keeping the caller-id

This article describes how to forward phone calls that are incoming on a Sipgate VoIP-based number to any given mobile or landline in an affordable way by using FreeVoipDeal. Prerequisites are accounts at Sipgate, FreeVoipDeal and of course your own PBX based on Asterisk.

Configuring an Asterisk PBX is rocket science in itself. To keep this article focused on the main issue I therefore assume you already have a running setup.

In order to forward calls you'll have to use the Windows client of FreeVoipDeal. There you can configure a general forward number which can be a landline or mobile number. Also, you'll have to allow access to the SIP-server of FreeVoipDeal - that is deactivated by default. Now you can use you FreeVoipDeal-account to receive incoming SIP-based calls on youraccountname@sip.freevoipdeal.com.

The tricky part is how to keep the caller's number intact while forwarding. In your extensions.conf you'll therefore have to add the following lines:

exten => s,1,Set(CALLERID(name)=${IF($[${CALLERID(number)} = anonymous] ?  anonymous : 49${CALLERID(number):1} )})
exten => s,n,Set(CALLERID(number)=${IF($[${CALLERID(number)} = anonymous] ?  anonymous : 49${CALLERID(number):1} )})
exten => s,n,Dial(SIP/youraccountname@sip.freevoipdeal.com,,tkw)

Now all your incoming calls are going to be forwarded to your designated number.

Shutdown your hardware on temperature threshold

Faulty temperature control in a datacenter can cause terrible damage. In case you can't influence air con's reliability, you have to set up some protection on your end - that is: your server.

Most modern hard drives provide temperature sensors which can be used to trigger actions when reaching a threshold. I'll describe how to do this with a too called hddtemp and cron in Ubuntu 16.04.

We need to intall the tool's package:

apt install hddtemp

Now we create a little shell script which later we will trigger by cron on a regular basis. In this scenario we save the script in /usr/local/bin and name it harddrive-watcher.sh:

#!/bin/bash
HOSTNAME=yourHostname
MAILTARGET=root
HDDS="/dev/sda /dev/sdb"
HDT=/usr/sbin/hddtemp
LOG=/usr/bin/logger
DOWN=/sbin/shutdown
ALERT_LEVEL_MAIL=35
ALERT_LEVEL_SHUTDOWN=50
for disk in $HDDS
do
  if [ -b $disk ]; then
        HDDTEMP=$($HDT $disk | awk '{ print $4}' | awk -F '°' '{ print $1}')
        if [ $HDDTEMP -ge $ALERT_LEVEL_MAIL ]; then
           $LOG "Warning: hard disk $disk temperature reached its warning limit of $HDDTEMP°C"
           echo "Warning: hard disk $disk temperature reached its warning limit of $HDDTEMP°C" | mail -s $HOSTNAME $MAILTARGET
        fi
        if [ $HDDTEMP -ge $ALERT_LEVEL_SHUTDOWN ]; then
           $LOG "Emergency shutown: system going down as hard disk $disk temperature reached its final limit of $HDDTEMP°C"
           sync;sync
           $DOWN -h 0
        fi
  fi
done

Lastly, we add the following line to root's cron file:

*/5 * * * * /usr/local/harddrive-watcher.sh

Now there will be a temperature check every 5 minutes with two thresholds: If the first one is reached you'll receive a mail. At the second threshold the system will shutdown to protect its data from thermal damage.

Protecting an Asterisk server from brute force attacks with fail2ban

Recently, the server hosting my Asterisk setup started to get laggy and eventually it even died a few times on me. Checking the logs it turned out that unknown IPs tried to initialize calls through my contexts. The log file carried gigabytes of stuff like this:

NOTICE[1110] chan_sip.c: Call from '' (IP_ADDRESS_REMOVED:5070) to extension '000972597103443' \\rejected because extension not found in context 'maincontext'.

It was pretty obvious that some hijacked clients tried to initialize calls trough my system. Luckily, my setup does not accept calls from unknown parties. Yet, the massive amount of connections filled up my logs entirely and opened that many connections that the system collapsed at the end.

In order to secure other systems in my environments, I'm using fail2ban, e.g. for securing ssh logins. Therefore I will do the same for the sake of my Asterisk health.

  • So as always, you may want to trigger the tool installation:

    aptitude install fail2ban
  • Next create a local configuration:

    cd /etc/fail2ban && cp jail.conf jail.local
  • Now an individual filter description for the according Asterisk log entries has to be added in a new file called /etc/fail2ban/filter.d/asterisk.conf:

    [Definition]
    _daemon = asterisk
    failregex = NOTICE.* .*: Call from \'\' \(<HOST>:.*\) to extension \'.*\' rejected because extension not found in context \'incoming\'.*
            NOTICE.* .*: Registration from \'\".*\" \<sip:.*\>\' failed for \'<HOST>:.*\' - No matching peer found
    ignoreregex =
  • For these filters to take effect they have to be introduced to fail2ban in /etc/fail2ban/jail.local. Assuming there is a default Asterisk setup on your system, the follwing lines have to be added at the end of that file:

    [asterisk]
    enabled  = true
    filter   = asterisk
    action   = iptables-allports[name=asterisk, protocol=all]
    logpath  = /var/log/asterisk/messages
    maxretry = 1
    findtime = 600
  • Restart fail2ban to activate these changes:

    service fail2ban restart