This site is now 100% read-only, and retired.

Archive for 2005

As the year draws towards a close I wanted to take the time to thank all the readers and contributors who've made running this site such a rewarding experience. Without your readership, and contributions, there would be little point in making this site available and dealing with the problems that arise - so a big thank you!

Recently we demonstrated the process of installing a binary release of Xen 3.0 on Sarge, since the packages on Debian Unstable are not yet available for Xen 3.0 we're now going to look at installing it via the packages provided by Ralph Passgang. This also includes building a custom Xen kernel from source.

So in a flurry of package installation to try and get some software to compile, some hardware to work, and some curiosity satisfied, I've somehow crippled the processing power of my computer. Now I know it's not the fastest, but it should be faster. I clearly remember it being fast enough for me to not be bothered until now. Now it seems to take forever to open any program and even worse, after a program is open it's far too slow in responding.

Snort is the leading open source Network Intrusion Detection System and is a valuable addition to the security framework at any site. Even if you are employing lots of preventative measures, such as firewalling, patching, etc., a detection system can give you an assurance that your defences truly

Previously we showed how to add basic completion to commands, using facilities which were already provided by the bash completion routines. In this second part we'll demonstrate how to add completely new custom completion to commands.

One of the nicest facilities of the modern shell is the built in "completion" support. These facilities allow you to complete commands and their arguments easily. Read on for a brief introduction to adding your own command completions.

I'm trying to get a transparent user authentication on Squid (which is running on the same machine as a samba PDC) based on user domain access of windows clients.

I've recently upgraded my system to the new Debian 3.1r0a, using kernel version 2.6.8-2-686-smp. I purchased my system in late (November, I believe) 2001. My initial efforts to install with the 2.6 kenel failed, with what later turned out to be problems related to APIC. Using pci=noapic allowed me to use the 2.6 kernel.

DVD writers have become so common these days that there is hardly any difference between the price of a CD-writer drive and a DVD-writer drive. So I'm assuming that almost everyone would be buying a DVD writer drive these days. Below are a few tips for newbies on how to burn DVDs on a Debian box using the command line. Other GUI tools like k3b, nautilus burner, etc exists but its always fun to know how to do that stuff from command line.

This article explains how to configure networking in a very pleasant way, so that it works automatically wherever you go. It is adaptable to lots of uses, and may be usefull even if you don't use Wifi but connect to multiple networks. This solution has been inspired by a tutorial that can be found in the references section at the bottom of this page. It uses three tools that integrate well with the debian network configuration:

If you want to make a hotcopy from your SQL database instead of a dump to a text file, you can use the mysqlhotcopy tool. This tool locks a table, copy it and than unlocks it again.

Wikis are simple interactive websites which are extremely easy to use for storing easily updated text content. Using a Wiki you can easily create a lot of content with hyperlinks between them. Debian has packaged several different Wiki systems and here we'll look at installing just one of them: KWiki.

I need to access from the X display of some remote machines (Irix & Linux) behind a firewall from my laptop running a simple Sarge installation. Normally this would be simple but I only have telnet access and not ssh.

Modern desktop computers running Linux have a sort of double personality that they do not usually share with Windows-based PCs. On the one hand, they are used as single-user workstations where the operator is granted full access to the machine resources, and on the other hand they are also real servers.

I'm trying to set up a Mailman list server using Postfix under Debian to handle our mailing lists. Unfortunately, we don't have the ability to run a mail server on port 25, as it is firewalled, and the only destination IP allowed for that port is our ISP's mail server.

Over the past few months several new Debian-based community websites have sprung up, providing summaries of news or new articles and tutorials for their visitors. Are we seeing a healthy growth of new Debian sites, or a splintering into redundant factions?

If you've inheritted a bunch of machines, or have only a single generic server in front of you, then you might be curious to learn what hardware you have. Thnkfully it is very simple to discover information about your system, even remotely.

Xen 3.0 is the latest release of the popular virtualisation platform. It allows you to install "virtual servers" upon your base operating system, allowing you to create and run several instances of GNU/Linux upon one host. Here we'll take a simple overview at using Xen to install virtual servers.

One of the strengths of the Debian GNU/Linux operating system is the centralised Bug Tracking System (BTS). Users are used to reporting bugs, and if you create your own Debian packages you should make it easy for them to report errors in those packages.

I run Debian Sarge on my main server at home which provides different services. I also run exim4, courier-imap-(ssl), squirrelmail and spamd as my mail setup on this box. Now I am wondering how I could give different users email accounts whithout adding them system-wide as users.

I want to hand out Apache access log files to hosted customers on a shared server for measurement purposes, at least weekly. I also want them to have access to "error.log" in near real time.

I've studied the books, read the websites, posted for help -- followed the various recipes slavishly, but still, despite generous hints from forum responders, can't get simple peer-to-peer print and file sharing to work.

Nagios is a powerful, modular network monitoring system that can be used to monitor many network services like smtp, http and dns on remote hosts. It also has support for snmp to allow you to check things like processor loads on routers and servers. I couldn't begin to cover all of the things that nagios can do in this article, so I'll just cover the basics to get you up and running.

Hello nerdlings! Steve has gone jolly wild with perl this festive season. And to add to the spirit, here's a piece from me on how to do a search and replace across many files in one line of perl, for several kinds of cases:

If you've ever automated any operations with Perl you'll most likely have written a small script or two, and then left them to run. But how do you know that your code is correct? The answer is to write some test cases and verify they perform correctly. With Perls test facilities this is a simple thing to do.

As an ex-programmer with a reasonably good knowledge of the Perl programming language I recently re-read this book with an aim to reviewing it. Read on for my thoughts on this classic book.

Well, that may be an overstatement, though I have no idea at this point. What I do know is that the first signs were that 'ssh' failed to configure correctly. The configuration kept bombing on running 'ssh-keygen', with a SIGSEGV. I was able to determine that this file was bad, by comparing with another Debian install. To make a long story short, I eventually determined that I had the following list of files installed from the 'ssh' package:

I have a very slow internet connection at home (I'm lucky when I reach 3k/sec), where I use Debian. As my university keeps a local mirror, I decided to copy it and have it readily available from home. The problem is, every time I want to update it, I must take out my hard disk, fill the paperwork required to get it into the university and download/rsync the mirror.

I have a Debian "sid" box installed onto a root partition on LVM2, boot is on hda. When I set it up originally everything went in well and it boots perfectly. The inital initrd created during install has all the right bits in and it boots and finds the root partition on the LVM2 without a problem. This works fine for both 2.4 and 2.6 family kernels.

If you are like me and have a Spanish Latinamerican keyboard, but it refuses to work the right way with the Right Alt Key, this will help.

Until recently I used the default 2.6.8 kernel included into Sarge. When I tryed to install a vanilla 2.6.14 kernel I faced the "no devfs" problem. It's not that I forgot to turn on "devfs": "devfs" in not part of the Linux kernel anymore. The "udev" subsystem replace "devfs" and it's easy to install it into Sarge.

I've recently learnt of an interesting new features of OpenSSH v4 which allows you to reuse open connections when connecting to the same host more than once. If you regularly have multiple open connections to a single host this is a big timesaver.

For as long as I can remember I have wanted to have music integrated into my home. To me what I wanted was simple, a stereo in just about every room all capable of playing music from a central location as well as independent operation (i.e. volume control and "local" music source).

As Debian users what do you think you'd like to see changed in the Debian's future releases? Are there any small changes you'd particularly like to see made?

I have been using Debian (Sarge) for about a year as a webserver. Recently though our family has moved the main computer into the main room, and so we would like to keep the printer down in the utility room where the server is. I can't figure out to get my parallel port printer working though.

We've previously covered setting up your own repository for the Debian's apt-get system, but we didn't cover managing automatic uploads. Thankfully this is a simple task with the reprepro, and dupload tools and a small amount of scripting.

Setting up WebDAV (Web based Distributed Authoring and Versioning) was covered briefly previously in an article on SVN. But this didn't stop a plea from a member of DCGLUG for an idiots guide.

This document covers a very specific, limited purpose, but one that meets a common need: preventing browser, mail, and other clients from complaining about the certificates installed on your server. Not covered is dealing with a commercial root certificate authority (CA). Instead, we will become our own root CA, and sign our own certificates.

There are several times when you'll wish to deny particular clients access to your webserver. The most common and obvious solution is to simply firewall the visitors, however this doesn't let the visitors know what went wrong. They might just believe your webserver is down. A better approach is to use mod_rewrite to redirect them to an error page.

I'm wondering if anyone can help me out with the best way to backup/restore debian package information? I'm trying to write a script which will allow for "seamless" server migration (I realize this is something of an impossibility), and obviously one of the key pieces is being able to match the packages and the package configuration of one server to another.

We install a few Perl modules on production servers for email, websites, that sort of thing, and I'm building a new server, but also I write some code in my spare time that depends on some less mainstream bits of Perl (Chess::PGN::Parse amongst others).

This brief guide will explain the steps you can take to get basic SMTP AUTH working with Debian Sarge's exim4 package. (For users connecting to your server, not for forwarding via your ISP)

How do I configure Apache2 Webdav to work with Windows XP? I have WebDAV up and working with cadaver, so I know the basics are there. But XP insists of trying to login as DOMAIN\Username instead of Username.

Every system administrator worth his pay knows, that one's system should log as much as possible and that logs should be checked for errors, warnings, suspicious activities and other things. Unfortunately, by default, logging is set up in a way that makes this job difficult, bordering on impossible.

I have noticed people asking questions about web server statistics programs on debian-user mailing list. So I'm posting a compendious version of my original(personal) documentation on how to setup awstats on Debian GNU/Linux for generating statistics for Apache web server. The article focuses on the steps required to get awstats running on your server, setting up cron job for it, and reconfiguring logrotate for apache to take care of lost logs.

Has anyone been able to implement a single sign on using the OpenLDAP and Kerberos packages from Debian? I've been able to get OpenLDAP and Kerberos to work independently, but I can't get them to work together.

This brief introduction to setting up an IMAP mailserver. The big attraction of using an IMAP mail-server is that all folders, and state, is persisted upon the server side. So if you login to check your mail from multiple locations you always have the same view of it.

Did you ever want to have a Redhat kernel and drivers installed upon a Debian system? Here is how you can manage that easily.

There are many times when you need to work with CD-ROM images (or ISO files) under Linux. This simple cookbook shows you how to accomplish the most common tasks.

Presently we are migrating from Redhat Linux webserver to a Debian GNU/Linux 3.1 webserver. We need to transfer all the user and passwords across to the new host, so that users can login using their current details.

Debian isn't "officially" supported by HP, but it works great on HP hardware. Only the HP specific software isn't very easy to install on Debian. This should change now!

Shockwave flash can be used for a lot of different things, from annoying web adverts to simple games. One interesting use for it is displaying movies. Movies you can record yourself by capturing on-screen activities. This is ideal for creating simple tutorials.

Monit is a system monitoring utility which allows an admin to easily monitor files, processes, directories, or devices on your Debian system. It can also be used for automatic maintenance/repairs - by executing particular commands when errors arise. To ease administration monit provide a web based monitoring interface, with SSL support.

There are several methods of implementing port knocking (the sophisticated project Knockd for instance). Here we'll demonstrate a very simple means of achieving the port-knocking effect using nothing more than netfilter, or iptables, rules.

I'm trying to figure out the best way to install two versions of a library .deb concurrently. I know how to do this with rpm, but can't figure out a way to do this with dpkg. I've looked at dpkg-divert, but that makes me specify each individual file, so it's kind of a pain. Plus, I would have to set up the diversion, install one, then remove the diversion, then install the other, so my system would still only think that I had one version installed.

This is another story to prove that you should have backup of the system burned on removable media. I had installed /var on separate drive and that drive died last night.

There are thousands of programs contained in the Debian GNU/Linux distribution, but keeping track of new packages hasn't been easy until now.

There are many scripting languages which may be embedded into applications. Some languages have evolved this ability over time, and others have been designed from the ground up as embedded languages. One of the languages specifically designed for embedded use is Lua.

For quite some time now I've personally worked with building custom Linux firewall solutions. I wanted to share my knowledge with others interested in the networking and Linux fields, so I've begun work on a Linux Firewall tutorial series.

I take care of a small group of workstations/servers running Debian stable. I've gradually been upgrading them all from exim3 to exim4 and until today the upgrades have gone very smoothly. I decided that I should finally upgrade exim on the last (and busiest) of these machines this evening and ran into a problem that I can't figure out.

If you have a server which is not working very well, it is posible that the process that you want to use is in a zombie state. You can see that there is a zombie process with top for example. But with top you can't not alway see which process it is.

I'm planning on removing the Windows based webservers. We host mutliple sites for various customers. My questions is what is the best way to set this up on Debian Sarge with Apache and FTP?

If you're using the postfix mail server you can reject mails which have viral content at SMTP time - meaning they aren't delivered and you don't have to worry about sending bounce messages to the often-faked "From" address. Below are quick details to setting up clamsmtp with postfix. We also setup an up to date version of ClamAV from the new volatile repository.

What is the smart way to get PHP5 on a Debian stable box?

One of the nice features of GNU Emacs is that you can "reuse" existing windows, and cause new files to be loaded there. This avoids waiting for a whole new editor to startup.

If you've ever been confused at all the directories present within your Linux system here is a quick overview of the directories in common use, and what they contain.

How do I get the DHCP server to dynamically update the DNS server? I know it's possible, but how do I do it?

Under Debian networking is pretty comparable to other distributions of GNU/Linux, especially in areas such as DNS setup. However if you're new to the distribution you might not know where things are set. This brief introduction to networking will show you how it works.

I've been looking into the new maintainer howto, to try and understand how I should properly patch an existing Debian package, in case a Sarge package rsync.

While iptables offers a viable means for limiting network intrusion from outside a local area network as well as containing users in a defined environment set by the adminstrator, there can be much had with the kernel's use of certain, "flags", if you will that redirect the kernel what to do and what not to do with certain specific protocols.

There are times when you have a package which you cannot upgrade, remove, or install due to scripting errors. 99% of the time these will be bugs which will be fixed after you've reported them. But if you cannot wait you'll need to fix them yourself.

As everyone knows there are a lot of script kiddies out there, running port scanners and SSH dictionary attack tools. Assuming you have proper SSH configuration, this isn't a problem, but it is a nuisance as it clogs up the logs.

There are times when having only a single webserver is insufficient to handle the amount of traffic, or load, you're receiving. In this situation you have several options. If you have the ability to add new webservers into your setup then using pound might be a good approach.

I have a server that I recently upgraded from Woody to Sarge. I'm trying to clean it up and remove all unnecessary software and packages. I don't use the X-window system (X11) anymore and want to remove all components. I'm concerned that I might break something and don't want to hose the server.

I have recently installed Sarge on my PC with the intent on moving to Linux as my primary desktop OS. Since most of my Linux experience is with Red Hat 6.2 (as in I haven't really touched Linux since 1999), I am a little rusty and needless to say a few things have changed in the world of computers since then.

Every now and again I like to spend a while becoming really familiar with the various tools which I use frequently. This week I spent several hours experimenting with the various paging applications available to Debian users. Here is my guide to the common pagers, and what they can do.

This article discusses setting up up an integrated IPSec/L2TP VPN using Radius and integrating it with Microsoft Windows clients.

Following on from the procmail article, I wondered what solutions people are using for filtering their email at the server level, and for updating the rules?

Handling email for multiple virtual domains is a common server task. Here we'll show how easy that is to manage using the postfix mailserver using just a couple of small configuration changes.

If you are like me you receive a lot of incoming email, too much to leave in one mailbox. Using the procmail tool you can apply filters to split your mail up into different boxes - or apply almost limitless processing to incoming mail.

If you're new to Debian you might be confused about how to get access to the Debian security updates. This short introduction tells you all you need to know.

Here we're going to introduce a different approach for Debian installations, the Fully Automated Installation system (FAI). FAI is an automated installation tool used to install Debian on a cluster, or number of different hosts.

If you have the source code to two Debian package revisions and wish to identify the changes between them there is a very handy tool called interdiff which will allow you to do that very easily.

A guide to migrating to RAID1 on a working Debian Sarge installation which was installed on a single drive.

I'd like to install a local Debian mirror on my network so that as I experiment with different things (and break them) I can reinstall faster, as well as make new package installs that much faster (new gigabit switch and nics!)

To an extent the question is rhetorical, security depends on the risk, online banks needs more than sites offering archives of erotic stories for free, that is what security policies are all about.

Bamboo is one of the numerous Wiki packages included in the Debian distribution, it makes creating simple websites with integrated searches very straightforward. Unlike some more basic Wikis it also allows you to create navigation bars, or menus, with nested pages and organise the structure as you see fit.

I've been an active FreeBSD admin/user for the past five years, running it mainly on Intel hardware, and recently, sparc64 hardware. I've come to really enjoy how the OS is built, and the precision in which it is presented to the administrator. I decided to take my experiences to a more professional setting, and applied/interviewed for a FreeBSD admin position. After a bit of a wait, they informed me that the position was actually not going to be available, but they would like me to interview for a Debian admin position. I said I would be glad to come in. Whoops.

There are many ways you can produce HOWTOS and other organised documents, but one of the simplest to get started with is the linuxdoc tools which allow you to create nice clean HTML, LaTeX, and PDF output from the same input document.

Referer spam is something that has only affected weblogs until recently. However it is now on the rise generally and many webservers are seeing incoming requests with HTTP Referer spam.

If you wish to experiment with a new shell the most natural way to do it is to change your login shell. There are two ways to do this, the right way and the wrong way.

If you wish to keep track of the mail sent and received by a machine then isoqlog is a nice solution allowing you to view your top mail senders and receivers. It works with exim, postfix, sendmail, and qmail.

From the package description: Munin is a highly flexible and powerful solution used to create graphs of virtually everything imaginable throughout your network, while still maintaining a rattling ease of installation and configuration.

As a means of distributing large collections of files FTP is still a popular choice, despite the rise of bittorrent, and the growing number of HTTP servers.

Most Linux distributions use PAM for controlling account logins. PAM is a collection of modules which can be used to authenticate users in a variety of ways. One interesting use for this is to deny access to host by the time of day.

I run a few different types of servers, and I would like to know how I can use IPTables to restrict access to these servers, mostly my FTPd.

After the previous coverage of cfengine we'll now look at actually installing it and using it for real on a number of different hosts. The rules will come from one central host and be automatically pushed to a collection of managed servers where they will be executed.

After the previous simple overview of cfengine we'll now look in more detail at the rulefiles, which allow jobs to be conducted both locally and remotely.

There aren't many systems as powerful or useful in administering a large LAN as cfengine. However the learning curve is pretty steep, which puts a lot of people off using it. In this introduction to cfengine we'll show what kind of things it can do, and how it works.

There are many common scenarios where keeping track of open network connections is useful. General troubleshooting or fixing specific problems are two obvious cases which spring to mind. The most useful tool I've discovered for this purpose is tcptrack.

I've got an old pentium 120 with no graphics card and I want to install Debian via serial console.

I'm planning on migrating 40 or so email accounts from a RedHat 9 / Sendmail server to a new Debian Sarge box. Of the three popular IMAP servers included in Sarge (Dovecot, Courier and Cyrus), which one have people had the best experiences with?

The principal advantage with an imapd server is that your mailbox is the same for all your mail clients. When you need to filter some emails this is usually a job for your mail client - and if it's not running, there's no filtering. Sieve allows you to filter mails in your Cyrus imap server even when you don't have a client open.

One of the simplest and most easily understood means of creating database backups is to dump the raw contents as SQL commands - which can later be used to reinsert all the data.

rsnapshot is a lightweight backup solution which creates rotated backups of local or remote directories. One of the key benefits of rsnapshot is its extreme simplicity. As a bonus backups are created using hardlinks to reduce the space used upon the backup host.

I would like to install Mason (libhtml-mason-perl) on my plain-vanilla debian stable (Sarge) system. I tried Mason on an old apache-1.3 setup and LOVED it, much nicer than PHP on many fronts. I am an old linux/apache/perl user (formerly redhat), but pretty new with Debian, Apache2, and Mason. I am working my way up several learning curves at once, so please be patient with me.

When you have a dynamic website with all the content loaded from a database backend you're most likely going to wish visitors to be able to search it. Using the builtin MySQL FULLTEXT indexes makes this very simple.

Recently the Debian Bug Tracking system has been upgraded to give it a new look, and several additional features "bug subscriptions", "bug blocking", and "version tracking". Read on for the details.

Whilst changing the timezone of a machine once it has been installed is not a very common job it does seem to be something that many people struggle with.

Simply put, a 'runlevel' determines which programs are executed at system startup. Most of your exposure to run levels will deal with system startup. You will become intimately familiar with the exceptions the first time you have to troubleshoot a failed system.

Often the boot process of a machine is not as fast as one would like. It is commonly suggested that you reduce the number of started services so that your machine boots up faster. However, one thing we must know before trying to optimize our boot process, is where it is slow. To do that, we will use a tool called bootchart.

I'm using Woody currently, connected to a DSL modem/router that allowed me to set up systems eitehr with DHCP or static IP addresses. Since this was a home networking setup, it was easier to go static.

This article describes a complete system for creating a centralised backup system, complete with strong encryption. Incremental backups are used to minimize the bandwidth, and time, used.

With subversion (and svn-buildpackage) becoming popular hosting multiple repositories with different access controls is something that is commonly required. Here we'll show how you can set this up in a very flexible manner using PostgreSQL

This brief introduction for configuring sites and modules in Debian's Apache 2 package explains how to add and remove sites using the supplied tools, along with adding and removing modules.

Can somebody point me in the right direction for setting up DNS for a small home network?

While most people never change their Bash prompt, some of us suffer from a mild form of insanity that drives us to configure every option as far as the system will let us. This article is an example of how far you can push what most people would consider a simple option and hopefully will start a discussion on other prompt customizations and tweaks.

Encryption is often a useful thing, but with the overhead its often common to forget do so. Previously we've covered using a loopback filesystem for encryption. An alternative is to use enc-fs which we will introduce here.

There are times when large files need to be chopped into small pieces, for easier movement, or for transfer via email with size limits in place. With the use of standard shell commands you can accomplish this easily.

We've covered building a 2.6 Kernel before in the Debian manner, but here's another introduction in case you missed the last one.

The X11 "rotate and resize" (Xrandr) extension allows you to resize, or rotate, your current display on the fly. Whilst it's not supported for all drivers it's very useful when it does work.

Ever since hotmail originally introduced the concept of a mailbox accessible over the web (way before Microsoft bought them), webmail has been a popular way of accessing email while on the road. This article describes setting up webmail for the users of your Debian system.

Several people have written guides on booting Debian systems faster. Most of these involve reordering initscripts, and other significant changes. There is a much simpler alternative to speeding up boot times though, whilst it might not work for all it's an interesting hack.

gmail is the well-known webmail service from Google. Whilst I've never really used it for mail I do mount its storage space, remotely, upon my Debian machine and use it as another form of backup space.

Making simple edits, such as replacing text, to multiple files is a common chore. Thankfully it is something that can easily be automated. There are several different approaches, depending upon the tools you prefer. Here we'll look at two.

There are times when you need to fix something, or get something done, and don't know where to start. Thankfully there are several forms of support available to the Debian user, here we'll give a brief list of some of the options.

There are times when you wish to just share a simple collection of files with Apache, so you place them into a directory and allow people to browse them. By default Apache's directory index isn't terribly pretty, here we'll show a couple of simple changes you which make these indexes nicer to use.

I'm currently in the middle of releasing some software which I've been developing. All the history is stored in a CVS repository and I realise I have no ChangeLog. I hoped it would be possible to use the CVS history to generate the ChangeLog, and here's how to do it.

There are many times when you'll want to create network diagrams, or other simple diagrams using a combination of linked images and straight lines. The dia application is perfect for this.

One of the new features being introduced into Debian's unstable distribution currently is a "tag" implementation. This allows small pieces of meta-data to be associated with each package in the archive, this data can be useful for searching, and finding new packages.

Because they are in the process of being physically moved two Debian hosts are going to be unavailable for the next day or two. The machines in question are running, and

Today my Debian/Sarge box at home took a very sustained SSH attack. After the attack, I got an email saying that "rootkit004w" and "LKM" have been detected. I'm quite aware that the various automated security tools do generate false positives, however it's quite a coincidence. I had restarted some services that generate false positives inadvertently during the attack, so it really could just be coincidence

If you have a large music collection then streaming it across a LAN, or the internet, is a logical thing to do with it. There are several different streaming servers available in the Debian package archives, here we'll have a look at GNUMP3d.

Apache is the world's most popular webserver, powering over half the websites on the internet. It is a stable and reliable platform, but sometimes it struggles under a lot of load. Here we'll look at a couple of simple changes to increase performance when handling a lot of traffic.

The iptables firewall has several useful extension modules which can be used to in addition to the basic firewall functionality. One of the more interesting of these extensions is the "recent" module which allows you to match recent connections, and perform simple throttling on incoming connections.

Previously we've described how to run a secure CVS server using OpenSSH, but that didn't allow anonymous users to use the repository to checkout code in a read-only fashion. Here we'll correct that ommision.

Debian has now made the transition to the installation of the X11 Window system. If you're running sid/etch you should be able to upgrade now.

When we covered port scanning a short while ago we discovered how to tell which ports had processes listening upon them, via port scanning. What we didn't do was learn how to tell which processes were associated with each open port.

Once upon a time one started a media player picked a file, pressed play, and music came out of the speakers. The interface was simple and inobtrusive. Time passes. MP3s arrive. Time passes. Media players aquire graphic "skins". Interfaces degenerate into complex goo.

I'm about to set up a Debian Sarge system for my better half and possibly for a friends father. In both cases they simply want a stable working system, with straight forward tools for basic web, email and word processing.

Debian is well known for the software which is contained in its repositories. There are thousands of packages available already in the official archives, (and more packages held in various unofficial archives). But how does new software get added to the distribution?

One of the unwritten rules of good system administration is never to schedule unattended jobs for times when you won't be there to pick up the pieces (or more crucially not for a time when everyone is asleep).

This is a simple procedure for installing Debian GNU/Linux onto a USB key flash media. It includes several configuration changes but tries to stay as close to a default debian install as possible.

When you're interested in testing the security of your firewall, or generally monitoring the services you're exposing to the outside world a port scan can be a useful thing to run, to test that you're only exposing what you think you are.

Since dpkg only acquired logging facilities with version 1.13, which didn't make it to Sarge, I'm going to present a way to get package installation logged.

There are times when a package upon your Debian system needs reinstalling to fix problems which you might have caused, or to revert back to a pristine state.

I would like to keep track of what, when and where I've done something in the shell for the rest of my Linux life. It is a reasonable wish to have all of my activites logged, so in the future I could check what I did, how I did, and when I did it. Of cause it imposes some security hazard if you type in your password by mistake while working in the shell prompt, so you should be carefull and have right permissions setup.

If you're running a Debian Unstable installation you'll likely have noticed that new package installations, and upgrades, are now prompting for confirmation - warning about package checking. This is because the most recent version of APT supports checking package signatures with GPG.

I am trying to install some management software on our servers, but it can only be downloaded in an i386 RPM binary format, and our system is a Xeon based server (both are product of the same company), running an amd64 Debian. I tried to convert the rpm to deb with alien, but it tells me my architecture is unsupported by the rpm package.

Despite the fact that I have more experience with RedHat, I configured a Spam/Virus filtering system on Debian recently and I thought I should share some knowledge with the community.

My package of choice is MailScanner (and its friends) and I thought I could offer some guidance to people who whish to configure a similar system. MailScanner is a very powerful, scalable and robust, open-source e-mail security package. It processes more than 500 million e-mail messages every day, and is used in more than 20,000 sites around the world.

Do you need to send an HTML email from a script or command line? Whilst there are many different ways of doing this using mail from the mailx package is one of the simplest.

I was recently offered the opportunity to review a copy of "The Book of Postfix", published by NoStarch press. This book aims to be complete guide to Postfix whether used by the home user, as a mail relay or virus scanning gateway, or as a company mail server.

When it comes to migrating a server machine, which handles webserving for several domains along with email, DNS, and several other services there is a lot to remember. Since I've just migrated the machine handling this domain I'm going to describe how I did it.

The postgrey package is a greylisting implementation for postfix. It is a breeze to set-up and stopped 99.99% of my spam in conjunction with blacklisting.

Greylisting is a relatively recent approach which is designed to cut down on the reciept of incoming SPAM messages. Rather than something running after the mail has been received it attempts to ensure you don't recieve mail from spammers in the first place by rejecting messages at SMTP time.

This website is migrating to a new host over the next day or two, during that time there may be issues with availability and reliability.

Previously we've covered mounting remote filesystems using OpenSSH which works very well for most Unix servers. But when it comes to remotely mounting filesystems from Windows servers, or desktops, there's only one choice. The Samba file system module, smbfs.

DAAP (pronounced daaaaaaap and stands for Digital Audio Access Protocol) is a proprietary protocol created by Apple. It allows you to share a directory of music so other people can listen to your songs without the hassle (or illegality) of downloading them to your own computer. It utilizes multicast DNS, or rendezvous, or zero-conf networking, or whatever the current buzzword is for that technology. Think of mDNS as peer-to-peer DNS -- so whenever you jump on a network, your mDNS enabled programs broadcast all over the networking looking for other mDNS programs and they couple together and have a great time.

When you're using bonded ethernet interfaces (2 or more cards bound to a single IP address) it can be difficult to manage addresses. Multiple sites might have different IP networks and that means different interfaces files for each site.

I've seen cron-apt mentioned a few times here so I thought I would post a little introduction to it incase anyone was curious as to how to use it, or hadn't heard of it before.

When you have an Apache server serving multiple virtual hosts it becomes difficult to keep track of what it's serving at each moment - because in most cases each virtual host will log to a different place, you cannot read all the logfiles simultaneously.

A common question for new users is to ask, "what is best the Linux distribution for me?". I believe that the best Linux distribution is the one you personally like best: see Best Linux Distribution, however for a user new to Linux, this is no help. First, I would like to begin with a true story.

According to the Linux watching web site, DistroWatch, there are more than 400 Linux and BSD distributions currently available and active. Many of these exist with many versions, giving thousands of possible options to choose from.

Is there a package or configuration available which allows you to log whenever a package is installed or removed?

This is a short guide on how to set up distcc to run in chroot and send/receive traffic over an encrypted tunnel using the OpenVPN software.

The new Debian stable release, codenamed Sarge, has officially been released today.

Most Linux users pride themselves on compiling their own kernels. However, not everyone wants to do all that work, so Debian has a number of precompiled kernels available as packages. This article describes how to install these precompiled kernels using the apt package management system, based on my own experiences upgrading from 2.2.x to 2.4.x.

After a new user transitioning from FreeBSD to Debian asked how to customize the options used to build a Debian package, I responded with a short and sweet recipe. Someone kindly suggested that I turn it into a full HOWTO. I have done just that.

At work we are forced to expire the root password every 60 days. I would have root locked and sudo for everything, but to comply with SOX rules IT had mandated this silly policy. The snag is we often don't login, so when we need to, the password has expired and we can't become root. I just sudo to root, but not other staff - they reboot into single mode, and then set a new password...

Because OpenSSH allows you to run commands on remote systems, showing you the results directly, as well as just logging in to systems it's ideal for automating common tasks with shellscripts and cronjobs. One thing that you probably won't want is to do though is store the remote system's password in the script. Instead you'll want to setup SSH so that you can login securely without having to give a password.

Having set up a reliable Debian `sarge' server in a production environment, I'm now eliminating any potential obstacles to running it on a round-the-clock basis. Inevitably, this has led me to hook up the machine to an uninterruptible power supply (UPS) unit, and though this alone should be enough to keep the machine running through minor power outages and line problems, it would definitely be better if the box were aware of the UPS' state, so that graceful shutdowns could be performed, at the very least.

Renaming multiple files seems to be a problem which many newcomers to shell scripting, or administration, have problems with. But once you've done it a few times the actual solutions are very simple.

Steve's article Building Debian CD-ROMS Part 1 - dfsbuild convinced me that dfsbuild was the tool to put together a rescue CD for my laptop. The default configuration wasn't quite what I wanted, as my wireless card needs a patched kernel. I also needed to include some extra files so that networking would work "out of the box".

Have you ever wanted to create your own livecd? A complete Debian system which runs entirely from CD-ROM is simple to create, and can be made in minutes with bootcd.

The majority of applicatications you'll wish to use upon your system are already available as Debian packages, or as backports if you're running Woody. But there may be a few applications you need to install from source. Rather than fully Debianising the package yourself you can integrate it into your system with checkinstall.

I used to have a "catch-all" address set up on my mailserver, so that mail set to any unknown address would be forwarded to my personal account. That's cool because you can just make up addresses on the fly when you're filling out webforms and such, to help keep track of who's distributed your e-mail address.

What ho! Get on board! Let me take you on a voyage of discovery on the vast ocean of GNU/Linux. We will venture forth and study some nifty tools, including the curious thing known as a fifo.

There are many uses for databases, for example storing results and data processing. However there are cases where using a full database is unfeasible. If your job is small you might consider using the standalone package sqlite to create a simple database.

If you don't wish to be suprised when you suddenly run out of disk space on your system(s) it's a good idea to regularly monitor how much free space you have, and which directories and files are taking up the most space.

Several popular tools require a Java runtime environment, or JRE, to work. Whilst there a growing number of open Java environments at times installing Sun Java environment is the pragmatic approach - unfortunately the software doesn't come in a Debian package. This short recipe shows how to install a Java SDK, or JDK, as a Debian package, and make it work inside your browser.

If you're using the exim4 mail server you can reject mails which have viral content at SMTP time - meaning they aren't delivered and you don't have to worry about sending bounce messages to the often-faked "From" address.

Many mail servers need to handle mail for multiple virtual domains. This can easily be achieved with Sendmail, postfix, or qmail. Here we'll cover how it's done with exim4 - the default mailserver for Sarge.

I'm looking for software to use for an online forum, which should I choose?

There are a lot of Debian systems running PHP code, and in their default state the Debian PHP packages don't tighten up security as much as they could. There are a lot of badly coded scripts out there which can be abused by malicious users. (PHP is in no means alone in that regard!)

If you run a website which is mostly serving static files you can save a lot of bandwidth, in exchange for a slightly higher CPU load, by compressing the files you send to visitors. Both Apache and Apache2 allow this to be setup easily, although the method differs. Here we'll explain how this is achived with Apache2.

mod_rewrite is a module for Apache which allows you to rewrite and manipulate URLs which are sent to your webserver. It has many uses from the simple to the complex. Here we'll introduce the basics of enabling and using the module.

99% of all remote administration jobs can be carried out with only shell access via SSH. But some jobs require you to interact with a graphical application, those jobs can be handled with VNC.

Over time most Debian installations acquire packages which are no longer required - they've just been pulled in to satisfy dependencies of software you've since removed. Whilst there are many ways to fix this, the deborphan package is probably the simplest.

In my home network I have 2 Debian Sarge machines: one acting as a server (web, samba, cvs, etc), the other one as a client (KDE). To keep up with all updates I regularly perform 'aptitude update; aptitude upgrade'. Separately, for each machine.

When you first start examining a new project it can be hard to understand the source code, especially if it's a large project. Whilst often a simple bugfix, or tweak can be made to a project by somebody who doesn't understand the full picture it's hard to know where to start.

This is the first real site update in quite some time, telling readers what I expect to be happening in the short term and what I'm doing with the site along with some statistics.

GNU Bash is one of the most common shells in the Linux world, it's also the default shell on Debian systems. People who use it frequently and browse the manual usually learn something new, here I'm going to share two tips I cannot live without. What are yours?

Previously we've discussed how to speed up compilation by running the job on multiple machines with "distcc". If you only have a single machine, and you are compiling the same program more than once a useful alternative is the compiler cache.

There are many situations where you install (or make changes to) a system and you need to troubleshoot what on earth has broken when you no longer have proper network connectivity.

Following on to the previous article on Card Readers and USB keys using udev we can go one step further and get automounting working.

I have three different memory card readers - each providing access to 8 or 9 different card formats. In addition I have a MobileDisk USB keyring. Debian supports these quite well out of the box but the device node changes with each time you plug and unplug the devices - is my CF reader /dev/sdd1 or /dev/sde1?

dfsbuild is a relatively recent tool which allows you to build livecds based upon Debian. It's intended purpose is to allow you to install Debian from scratch, but because it is a simple means of building livecds it is useful for people who use Debian and don't wish to reinstall.

There are many solutions for printing PDF documents which cost money, and which not. But with all these solutions, you can do this on your own computer. But what to do if one needs this in a centralized way?

Tor is a SOCKS proxy which allows you to surf the internet whilst protecting your IP address.

To save power it's often useful to turn systems off, but of course when you do that you cannot use them! This is especially frustrating when you turn off a machine which is physically remote from you, but it doesn't need to be. Many modern PCs have the ability to be remotely "woken up" and turned on.

For some operations finding the dimensions of the current X11 Window System's root window (ie the desktop size) is important.

There are many application-level firewalls for other platforms, which allow you to allow or deny particular programs from making use of your network. With the standard iptables firewalling tool you can achive the same thing on Debian systems.

If you have an Apache webserver exposed to the internet you will probably find that it logs requests from worms which attempt to attack websevers. These requests are usually very long, and can take up large amounts of space in logfiles.

One of the strengths of the Debian system is the way in which it deals with having multiple similar packages installed, and allowing you to choose which one you use.

Many of the services installed on Linux machines will produce logfiles which grow, and grow, and grow. If left unchecked you can easily fill a disk with a large collection of logfiles if you're not careful.

The Debian distribution is one which is based upon binary packages, which are built from by developers from source, and then uploaded into the archive and mirrors. Obtaining the source code which is used to build packages is very simple - but sometimes you might want to work with the binary packages.

I've always kept my email around ever since I first started receiving it. Every message addressed to me, except spam and viral mail is archived. Each message is filed away safe and sound in case I need to look at it again.

When creating new packages it's important to test that they can build properly on all machines, not just the machine that you use to test it on. This usually means testing that the package build-dependencies are specified correctly.

I administer the lab for a research team. We all use Debian. Although I'd been network administrator for some time, I've never faced the problem of maintaining several Debian workstation (nice that all WS are identical). The first thing I did was to copy every CD of Sarge into a directory in the server and export it via http. Then I setup each workstation to update against this repository.

Many people use their Debian machines for compiling software and waiting for large compilation jobs to finish can be very frustrating. For example compiling GCC on my home machine takes over ten hours. But by sharing the compilation jobs amongst a number of machines compilation can finished in much less time.

I am a small administrator, entering the desktop area and looking for some way to improve my desktop installation and maintainence. So ... for desktop use and to help new Debian users, I made a package list and an small bash scripted intaller to install this package list on all the machines after an base install only.

One thing that has often annoyed me about most typical Linux installations I've seen has been the annoying frequency of console beeps.

Like a lot of other Linux distributions Debian handles hardware access via the groups upon the system. This is the single most common reason why access to sound, CD-ROMs, and other devices fail.

Mailing lists are good for achiving discussion when you have no idea in advance how many people might be interested - because there's no real limit to the number of members. They're also good for preserving history as the messages can be archived easily and made searchable on the web.

I have found on Kernel's 2.4.27 (debian) 2.4.29 (mepis) and 2.6.10 (mepis), when I try to transfer a large volume of files, with total size about 1G, the usb harddrive, gets reset, and goes off line.

Does anybody have experience on integrating dspam with a running postfix with virtual users contained in a Mysql database?

ngrep is a piece of software which is designed to mirror the standard pattern matching utility grep, although instead of matching patterns against text files it matches traffic passing over a network interface.

I have a machine which has a large number of users, many of whom are inactive. I would like to be able to identify and purge these users and their files. Is there a standard way to do this, and if so, what is it?

I currently have a Debian box working as a server/firewall/NAT router. Inside my local network I have a linux box and a dlink voip appliance. I monitor my webserver using a small program I wrote but I have no idea how to go about monitoring the network usage. I am trying to set up MRTG, although I haven't got it working yet. I am wondering if someone could give me a few ideas of how I could solve what I want to do, or even better, write up a complete article.

I unfortunately use on my system a mixture of Woody/Sarge packages. Now i need to have a list of all packages, where i can see which package belogs to Woody and which to Sarge.

One of the other major software upgrades available to you after upgrading to Sarge is Apache2. This is the reworked version of the world's most popular webserver.

You've probably come across the problem in which you have several xterms open in your window manager - and you can't tell which is which when they are out of view!

In most Debian desktop systems all the packages come from the Debian package repositories, and possibly some other non-official ones. These repositories contain everything you need, with one common exception. Plugins and extensions for browsers often have to be downloaded seperately.

Upgrading from Woody to Sarge gives you a lot of new packages, and large upgrades in packages you may be familiar with. One of the large upgrades that you might be specifically interested is Exim4.

I have written a detailed HOWTO for getting a Debian package repository up and running.

Previously we've looked at setting up a virtual Woody installation, and now the real fun starts. Firstly we need to configure this virtual image to match our real one, then we can actually perform the upgrade.

The next stable release of Debian is drawing closer than ever, so now is a good time to think about handling the migration. For servers only performing a single job such as being a gateway, or a proxy server, the upgrade should be straightforward. Other servers running multiple services are liable to have more complicated upgrades. With that in mind a good approach is to simulate the upgrade, allowing you to practise it.

Sometimes you want to have users, that have access to files on your server, but don't want them to be able to log in and execute commands on your server.

I'm looking for a way to automatically install security updates on a webserver running Debian stable, but with a twist: that the installation should be delayed a few days from when the updated package is released.

This site is a great idea. To attract more authors, perhaps it would help to allow people to submit questions they need the answers to, and advertise the questions on the front page. Then, people who think they know the answer and feel like helping out could write an article

Debian is the single largest GNU/Linux distribution around, with more developers, more supported platforms and more packages than any other. With so many choices it's often the case that people will have differing ideas about the tools to use - such as text editors. The Debian alternatives system attempts to solve this problem.

This is intended to be a quick and dirty guide to building your own kernel packages for Debian. For more information, see the links at the end of the article.

Rather than simply removing power from your Debian machine you should shut it down cleanly, this means that the filesystem will not get confused or messed up and all your files will be intact.

If you're running a webserver which gets cracked due to an insecure CGI, or PHP, script you'll likely want to know what the attacker did. One simple way of doing that is to log all the commands which are executed on a machine.

There are several worms which attempt to exploit vulnerable SSH servers, by logging in to a host with a collection of usernames and passwords such as "admin/admin", "test/test", "root/root", etc. These shouldn't be of much concern if you're keeping good passwords, but there are simple ways to prevent them regardless.

When you run a largely dynamic website there's a fair amount of effort which needs to be expanded for each visitor. For example pulling out headlines and article bodies from a database. Given that most users will not login and customize their screens you can imagine that a lot of the time you're serving new visitors you're actually

It's very useful to be able to view the statistics of websites, to see how visitors are finding your sites, which pages are the most popular, etc. Debian contains several packages for presenting this information to you, and here we'll look at two of them.

If you run a webserver for lots of different users it can be useful to allow all the PHP scripts to run under the identity of the user who owns them - rather than having all PHP scripts upon the system run as the same user (Typically www-data on Debian systems). suphp allows you to do this easily.

Debian machines are normally setup so that the /tmp partition, or directory, is emptied as part of the boot process.

All Debian developers have a Gnu Privacy Guard key which was verified as belonging to them when they joined the project. These keys are used to sign packages before they are uploaded to the main archive, for signing messages on mailing lists, etc.

If you're worried about storing confidential material upon your home machine, or a laptop, then you might be interested in using encryption. Using applications such as GNU Privacy Guard are good for protecting single files, but they lack something when wanting to keep a whole directory secure. This is where mounting volumes with an encryption module can be useful.

For testing out Window managers, or developing applications it's sometimes useful to run more than one X11 Window session. Normally you'd do that by setting up X to run on another virtual terminal, but thats a bit awkward to use, and only works if you're physically in front of the machine. Instead you could run nested X11 sessions.

A few days ago I was upgrading my machine when I noticed a package name that I'd never noticed before - zenity. It's a simple program which allows you to create GUIs from shell scripts.

Perl is a very widely used language which gets a lot of its power from the huge number of third party modules which available in the CPAN archive. If you want to use a perl module which hasn't been packaged for Debian you have a choice to make.

Does anyone out there have a easy to setup traffic shaping mechanism? Specfically I want to keep things like http and ssh useable while maintaining downloads in the background.

I maintain a copy of GCC which has the ability to detect and prevent buffer overflow attacks from working. This simple guide explains how my GCC packages are built, if you write code which offers a service across a network you might be interested in using something similar yourself.

Mutt is a console based mail client which can connect to IMAP, or POP3 mail servers. It can also read and write to local mailboxes. For a console client it's very sophisticated, allowing you to customize your setup enormously. One thing that it lacks by default is the ability to read HTML emails though.

The code which is used to construct, maintain, and power this website is now available for others to use, or inspect, any issues that people wish to report should be sent to me.

If you have a network gateway which is running Linux you might sometimes want to allow access to machines behind it from the internet.

CVS is the Concurrent Versioning System, which allows multiple people to obtain source code, work on it and commit it back to a single central repository. Setting up a simple CVS server isn't difficult, and can be done securely with OpenSSH

If you've setup a Linux machine as a gateway, standing between you and the internet then you have a lot of options for tweaking it. One of the most common things to setup is transparent proxying via squid.

When you are trying to reboot the system remotely after a kernel upgrade it's a good idea to have a rescue net. Using lilo allows you just such a thing, automatic rebooting if the machine panics or hangs.

Sometimes when you go to upgrade your machine with apt-get you will see that a package is being "kept back".

The Linux networking system allows one network card to have more than one IP address. This facility doesn't seem to be used very much but it's ideal for setting up services which you might wish to migrate to another host.

Previous Archives