Just a few simple steps are necessary in order to activate ssl on apache-daemon in Ubuntu 10.10:
Load module:
a2enmod sslActivate ssl site config:
a2ensite default-sslRestart apache:
service apache2 restart Simple activation of SSL for Apache2 in Ubuntu 10.10
Posted by digo on March 5, 2011
None comments
Adjust the Number of Loop Devices
Posted by digo on March 4, 2011
None comments
If you work intensively with virtualisation, vpns and other stuff that makes use of loopback-devices, the default number of 8 in distros like Debian and Ubuntu is pretty low. This article explains how to increase its number:
In /etc/modules change
loopto
loop max_loop=64After that, run the following command:
for i in $(seq 0 63); do
mknod -m0660 /dev/loop$i b 7 $i
chown root.disk /dev/loop$i
doneUsing vmbuilder with libvirt
Posted by digo on March 3, 2011
None comments
In order to use vmbuilder (in my case python-vm-builder 0.12.4) to generate fully functional Ubuntu kvm-images, the following adjustments to the libvirt-template of vmbuilder have to be made in order to work.
First, make a dir-copy of /etc/vmbuilder/libvirt/ to a location that suits you and use it by handing over the --templates-option to vmbuilder.
The following lines of libvirt/libvirtxml.tmpl have to be changed:
#if $mac
has to be moved just in front of
</interface>The line
<graphics type='vnc' port='-1' listen='127.0.0.1'/>has to become
<graphics type='vnc' port='-1' listen='127.0.0.1' keymap='de'/>Add the following lines right before the closing devices-tag:
Adjust Keyboard Console Layout for Ubuntu 10.10
Posted by digo on February 28, 2011
None comments
In order to temporarily change the keyboard layout of an Ubuntu system, the following command from package kbd (aptitude install kbd) does the trick:
loadkeys {us|de|whatever suits you}A permanent switch is done by reconfiguring console data:
dpkg-reconfigure console-data Unattended Security Updates in Ubuntu 10.10
Posted by digo on February 26, 2011
1 comments
In order to have automatic and unattended security updates in Ubuntu, one needs to install the according package:
sudo aptitude install unattended-upgradesDue to a missing file in the Ubuntu 10.10 package, the file /etc/apt/apt.conf.d/10periodic needs to be created with the following content:
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::RandomSleep "1800";Also, change the first few lines of /etc/apt/apt.conf.d/50unattended-upgrades as follows so that only security updates are considered:
// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
// "${distro_id} stable";
"${distro_id} ${distro_codename}-security";
"${distro_id} ${distro_codename}-updates";
// "${distro_id} ${distro_codename}-proposed-updates";
};It is vital to redo these setting after a global upgrade to a new distro release.
If configured correctly the following command should produce this output:
$ apt-config shell UnattendedUpgradeInterval APT::Periodic::Unattended-Upgrade
UnattendedUpgradeInterval='1'Prepping Ubuntu 10.10 for easy KVM-Setup
Posted by digo on February 25, 2011
None comments
These are just the basic preparatory steps along with a list of necessary packages. Comprehensive howtos have to be found elsewhere.
Fist, one needs to check if the necessary hardware prerequisites for virtualisation in KVM are met:
egrep '(vmx|svm)' /proc/cpuinfo If there is no output, KVM can't be set up on that machine.
Nowadays, the simple command kvm-ok is available in recent Ubuntu releases and checks kvm compatibility of the available CPU.
Next step is to install the necessary packages:
aptitude install libvirt-bin kvm ubuntu-vm-builder virt-viewer virt-managerSecuring ssh Daemons from Brute-Force Attacks in Ubuntu
Posted by digo on February 23, 2011
1 comments
-
Install fail2ban:
aptitude install fail2ban -
Create local configuration:
cd /etc/fail2ban && cp jail.conf jail.local -
Edit
/etc/fail2ban/jail.localand enablessh-ddosby changing the according enable line totrue -
Restart fail2ban daemon:
service fail2ban restart -
Since Ubuntu version 10.04 rsyslogd is used; one of its default setting is to reduce the log output by compressing recurrent messages, which breaks the fail2ban-mechanism. Therefore, changing the following line in
/etc/rsyslog.confis vital:sed -i ‘s/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/’ /etc/rsyslog.conf -
Restart fail2ban and rsyslog daemon:
service fail2ban restart && service rsyslog restart
Protection from unintended Reboots in Linux
Posted by digo on February 22, 2011
None comments
Handling several servers in different concurrent ssh sessions can lead to confusion. This is explicitly dangerous when it comes to unintended reboots. Here, molly-guard jumps into place by adding a confirmation dialog to each reboot command that is executed from a remote shell.
You can install molly-guard in Ubuntu with the following command:
sudo aptitude install molly-guardQuick & Dirty VoIP Conference Room
Posted by digo on February 17, 2011
None comments
This note describes the quick & dirty setup of an VoIP conference room using Astisk PBX and Sipgate. Three files have to be adjusted accordingly:
sip.conf
[general]
canreinvite=nonat
nat=no
progressinband=yes
limitonpeers=yes
bindport = 5060
bindaddr = 0.0.0.0
context=incoming
qualify=no
callcounter=yes
allow=ulaw
allow=alaw
allow=g722
allow=g723
allow=g726
allow=gsm
srvlookup=yes
language=en
dtmfmode = rfc2833
register => <sipgate_username>:<sipgate_secret>@sipgate.de/<sipgate_phonenumber>
allowsubscribe=yes
notfiyringing=yes
notifybusy=yes
busy-level=1
fromdomain=<your_hostname>
;=========================
[sipgate]
context=conferencecontext
type=friend
insecure=invite,port
; nat=yes
username=<sipgate_username>
fromuser=<sipgate_phonenumber>
fromdomain=sipgate.de
secret=<<sipgate_secret>
host=sipgate.de
;qualify=yesextensions.conf
[conferencecontext]
exten => <sipgate_phonenumber>,1,Goto(conf,1)
; uncomment in case recording is needed
; exten => conf,1,Set(MEETME_RECORDINGFILE=/tmp/conference-recording)
exten => conf,1,Meetme(1234,sr)
exten => conf,2,Hangup()meetme.conf
[general]
[rooms]
conf => 1234,<conf_room_pin>Quickly setup a new Root Server at Hetzner’s
Posted by digo on February 16, 2011
None comments
Preparations in hetzner robot:
- Activate rescue-system
- Order automatic hardware reset
- Login into rescue system and change password
Now, automatic setup can be done via installimage -c {configfile} where {configfile} contains the following:
DRIVE1 /dev/sda
DRIVE2 /dev/sdb
SWRAID 1
SWRAIDLEVEL 1
BOOTLOADER grub
HOSTNAME d0
PART swap swap 8GB
PART /boot ext3 256M
PART / ext3 4GB
PART /var ext3 2GB
PART lvm vg0 all
LV vg0 kvm /kvm xfs 20G
IMAGE /root/.oldroot/nfs/install/../images/Ubuntu-1010-maverick-64-minimal.tar.gzOutput:
Hetzner Online AG - installimage
Your server will be installed now, this will take some minutes
You can abort at any time with CTRL+C ...
: Reading configuration done
1/14 : Deleting partitions done
2/14 : Creating partitions and /etc/fstab done
3/14 : Creating software RAID level 1 done
4/14 : Creating LVM volumes done
5/14 : Formatting partitions
: formatting /dev/md0 with swap done
: formatting /dev/md1 with ext3 done
: formatting /dev/md2 with ext3 done
: formatting /dev/md3 with ext3 done
: formatting /dev/vg0/kvm with xfs done
6/14 : Mounting partitions done
7/14 : Extracting image (local) done
8/14 : Setting up network for eth0 done
9/14 : Executing additional commands
: Generating new SSH keys done
: Generating mdadm config done
: Generating ramdisk done
: Generating ntp config done
: Setting hostname done
10/14 : Setting up miscellaneous files done
11/14 : Setting root password done
12/14 : Installing bootloader grub done
13/14 : Running some ubuntu specific functions done
14/14 : Clearing log files done
INSTALLATION COMPLETE
You can now reboot and log in to your new system with
the same password as you logged in to the rescue system.Now you can reboot into your new system.