eth0 interface in VirtualBox (Backtrack 5 VM)
Posted: 5 March 2012 Filed under: system administration | Tags: debian, networking, ubuntu, virtualbox 4 CommentsAfter generating a new MAC address for a virtual NIC, I had two interfaces: the loopback interface (lo) and eth3. eth0 had disappeared, and eth3 wasn’t getting assigned an IP.
It turns out that udev on Debian assigns a new eth number for each new MAC address. Deleting the file /etc/udev/rules.d/70-persistent-cd.rules solved this problem.
ssh-copy-id behavior
Posted: 17 October 2011 Filed under: system administration | Tags: command line, ssh, ssh-copy-id Leave a commentKeep an eye out for this one. When using ssh-copy-id to copy my public key to a remote host, I found that it had not properly appended my id to the remote ~/.ssh/authorized_keys file. It concatenated it on to the end, with no linefeed. Just be sure to check for that!
Original remote ~/.ssh/authorized_keys
ssh-dss AAA...== forest@machine
After ssh-copy-id did its work:
ssh-dss AAA...== forest@machinessh-dss AAAAB...gdA== forest@laptop
SSH public RSA key errors
Posted: 5 October 2011 Filed under: system administration | Tags: command line, pki, ssh, system administration 4 CommentsSeen these before when trying to login via SSH with your new RSA public key?
Nov 2 12:09:17 hostname sshd[12712]: error: buffer_get_ret: trying to get more bytes 257 than in buffer 73
Nov 2 12:09:17 hostname sshd[12712]: error: buffer_get_string_ret: buffer_get failed
Nov 2 12:09:17 hostname sshd[12712]: error: buffer_get_bignum2_ret: invalid bignum
Nov 2 12:09:17 hostname sshd[12712]: error: key_from_blob: can't read rsa key
Nov 2 12:09:17 hostname sshd[12712]: error: key_read: key_from_blob AAAAB3N[...] failed
In my case these were the result of copying a public key from e-mail, which tends to mangle long text lines. I usually don’t have this problem because I use the ssh-copy-id script to copy my keys to a remote host before attempting to log in.
Ignoring Ubuntu Upstart for System V compatibility
Posted: 21 July 2011 Filed under: system administration, ubuntu 2 CommentsIf you’d like to start an Ubuntu service using the System V-compatible runlevels, use “update-rc.d.” For example:
# update-rc.d ssh defaults
update-rc.d: warning: ssh stop runlevel arguments (0 1 6) do not match LSB Default-Stop values (none)
Adding system startup for /etc/init.d/ssh ...
/etc/rc0.d/K20ssh -> ../init.d/ssh
/etc/rc1.d/K20ssh -> ../init.d/ssh
/etc/rc6.d/K20ssh -> ../init.d/ssh
/etc/rc2.d/S20ssh -> ../init.d/ssh
/etc/rc3.d/S20ssh -> ../init.d/ssh
/etc/rc4.d/S20ssh -> ../init.d/ssh
/etc/rc5.d/S20ssh -> ../init.d/ssh
Google Datacenter Security
Posted: 26 April 2011 Filed under: security, system administration | Tags: security Leave a commentJust saw what basically amounts to a marketing video for Google’s Apps customers, discussing some of the features of their datacenters. They’ve put more thought than you’d expect for these facilities, specifically the “sustainability” aspect — which may involve a little bit of greenwashing, but I suppose it’s a start. To recap:
- Physical barriers and perimeter fencing
- 24/7 security (I bet they have free coffee!)
- Access control with badging and biometrics (such as retinal scans)
- Local law enforcement response
- Video monitoring and “video analytics” (motion and object detection, or video tracking)
- Data protection (encryption would have prevented HealthNet’s embarrassing incident, their second in two years)
- File fragmentation, replication and storage (including “sharding” to increase data security)
- Hard drive lifecycle management (how they destroy drives with a crusher and recycle the pieces)
- Fire detection and suppression
A drive crusher: 
Apache custom logging
Posted: 31 August 2010 Filed under: system administration | Tags: apache, bash, command line, linux, system administration, web analytics Leave a commentAren’t you interested in seeing what requests users, bots, or script kiddies make of your site, especially those things that client-side JavaScript-based analytics packages don’t tell you?
Under Apache, custom logging can give you lots of information you might not have seen otherwise. I’ll let the documentation for Apache’s mod_log_config say most of this, but as a quick preview, you could try defining a custom log format up near the top of your httpd.conf with
LogFormat "%a %t %{Host}i \"%r\"" hostlog
for example, then in all of your Directory containers, you could do
CustomLog logs/forest-monsen-site-host-log hostlog
Then, in my case, /var/log/httpd/forest-monsen-site-host-log would contain lines like
192.168.0.3 [31/Aug/2010:08:53:24 -0500] www.forestmonsen.com "GET /aggregator/sources/2 HTTP/1.0"
192.168.0.5 [31/Aug/2010:08:53:24 -0500] www.forestmonsen.org "GET /images/house.gif HTTP/1.1"
And I’d be able to tell which hostname was originally requested by the user — before any of my mod_rewrite rules got to it. Good stuff.
sftp chroot jail in Ubuntu
Posted: 11 January 2010 Filed under: system administration, ubuntu | Tags: command line, sftp, ssh, system administration, ubuntu 9 Comments(Update 16 Mar 2011: Since writing this post, I’ve learned of an easier way to create this chroot jail. Newer versions of OpenSSH enable the “ChrootDirectory” configuration directive. I recommend that you take a look at George Ornbo’s tutorial on chrooting sftp users in Intrepid for the details.)
(Updated 08 Feb 2011 to reflect xplicit’s experience on Ubuntu 10.04.)
I wanted to give a buddy access to a website hosted on my box. So I tried scponly, since I only wanted to provide SFTP access to that particular directory, using a chroot jail. The steps are as follows.
- Install the scponly package using Ubuntu’s APT package management system.
- Use the script provided to set up your first jail and your user’s home directory. For the location of the user’s jail, give the path of the directory you want to share.
- Provide a password for the new user.
- Ensure that the new user has permissions to read and write all the necessary directories in your Web site.
$ sudo apt-get install scponly
$ gzip -dc /usr/share/doc/scponly/setup_chroot/setup_chroot.sh.gz > /tmp/setup_chroot.sh
$ cp /usr/share/doc/scponly/setup_chroot/config.h /tmp
The previous step copies the “config.h” file to help things go more smoothly, as Luke found.
$ chmod +x /tmp/setup_chroot.sh
$ cd /tmp
$ sudo ./setup_chroot.sh
Next we need to set the home directory for this scponly user.
please note that the user's home directory MUST NOT be writeable
by the scponly user. this is important so that the scponly user
cannot subvert the .ssh configuration parameters.
For this reason, a writeable subdirectory will be created that
the scponly user can write into.
Note that I removed the /incoming subdirectory created by this script. There was no need for a separate directory for my buddy to upload files. He could have permissions over the whole site tree.
-en Username to install [scponly]
bob
-en home directory you wish to set for this user [/home/bob]
/var/www/sites/bobsite/htdocs
-en name of the writeable subdirectory [incoming]
-e
creating /var/www/sites/bobsite/htdocs/incoming directory for uploading files
Your platform (Linux) does not have a platform specific setup script.
This install script will attempt a best guess.
If you perform customizations, please consider sending me your changes.
Look to the templates in build_extras/arch.
- joe at sublimation dot org
please set the password for bob:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
if you experience a warning with winscp regarding groups, please install
the provided hacked out fake groups program into your chroot, like so:
cp groups /var/www/sites/bobsite/htdocs/bin/groups
This script added certain directories to the site root (/var/www/sites/bobsite/htdocs). Every other directory needed to be writable by Bob. So let’s add Bob to a special group, and allow that group write access on all the website’s files.
$ sudo adduser bob www-data
We can ignore /bin, /etc, /lib and other directories added to the chroot jail (the website filesystem):
$ sudo find . \! -user root -exec chgrp www-data \{\} \;
$ sudo find . \! -user root -exec chmod g+w \{\} \;
Good to go!
Server move complete
Posted: 1 January 2010 Filed under: system administration | Tags: linux, system administration, ubuntu Leave a commentI migrated a bunch of stuff from a CentOS 4 server to Ubuntu 8.04 LTS over the last couple of days.
- Five websites: One Moodle and one Drupal site backed by MySQL databases, and three static sites. SSL setup.
- Added some software. How can I work without
vimandslocate? - Security hardening, including a service review, permissions, firewall setup, administrative access through SSH,
sudoconfig, and Postfix with spam filtering. - Nagios server monitoring config.
I checked my work logs and decided that I did pretty well, considering I got it all done in 10 hours 35 minutes.
Set Debian or Ubuntu server timezone
Posted: 30 December 2009 Filed under: system administration, ubuntu | Tags: command line, debian, linux, system administration, ubuntu Leave a commentThis one’s an easy one, from the tzselect (1) manpage:
sudo dpkg-reconfigure tzdata
Flush DNS cache in Ubuntu
Posted: 15 October 2009 Filed under: system administration, ubuntu | Tags: dns, linux, system administration, ubuntu Leave a commentInterested in flushing your Ubuntu DNS cache? Note: I’m running Jaunty Jackalope as of the date of this post.
Well, Ubuntu doesn’t cache DNS by default. Your cache rests within your router, or your assigned DNS servers. You could restart your router, if you have access to it. Or wait until the time-to-live has expired.
You can install a local resolver that will cache DNS addresses, if you like. It will speed up your Web access slightly, since your Web browser will check the local cache first. I imagine the time you save will be measured in milliseconds.
Do that with:
sudo apt-get update && sudo apt-get install nscd
And to clear your local cache, restart the service:
sudo /etc/init.d/nscd restart
Emphatic Nonsense 