Do you use let's encrypt?





4075 votes ~ 17 comments

 

Archive for 2007

If you spend a lot of time creating new shell scripts, be they plain shell or scripting languages such as perl or python, then it can be very useful to make new scripts be executable by default. Here we'll show two simple recipes for GNU Emacs and vim to do just that.

The purpose of this Guide is to give you a straight-forward, Debian-friendly way of installing and configuring Kerberos. We will go through introduction to Kerberos, installation, configuration, PAM config and setting up of encrypted telnet/ftp session to the server. We will show how to use Kerberos logins as a replacement for SSH keys, and how to use standard (optionally encrypted) telnet/ftp connections instead of SSH.

The current look of this site hasn't changed much for the past two years, apart from a few additional CSS rules being used by default in article texts. Whilst the content here is hopefully of sufficient quality to allow the current design to be tolerated I'm sure we can do better.

I use Xen to create multiple locked down virtual machines that to run services which I want to present to the internet I do not allow direct connections from the internet to my firewall but sometimes there's a need to do remote administration (via ssh) so I can temporarily open up one or more ports. This I do with a webpage where an OPIE (one time password) challenge should be entered.

A couple of weeks back we had to migrate a few mailman based mailing lists across to a new server. Migration was successful and we had minimum downtime, since no changes were applied to the lists, they were simply moved to a new home. Here is how we did it.

From manpages: schroot allows the user to run a command or a login shell in a chroot environment. If no command is specified, a login shell will be started in the user current working directory inside the chroot.

Ever want to copy the output of a command to the clipboard and paste it elsewhere? How about pasting into the input of a command? xclip lets you do exactly that.

I've recently started to use mercurial to add a crude form of transactions to a set of shell scripts I wrote to automate some system administration tasks (installing mediawiki, tiddlywiki, fudforum, mailman, postfix satellite ...).

User management and the related cryptographic authentication infrastructure is a major hurdle in deploying scalable, manageable VPNs (Virtual Private Networks). After introducing VPNs and Public Key Infrastructure (PKI) and discussing some of the benefits and challenges of two popular VPN implementations, we'll document how to build a scalable PKI to simplify VPN authentication management.

Large and medium size corporate institutional networks suffer now a days from "smart" users who try to get their latest Movie/soft/Music/TVShow downloaded in their office.

Users of Debian's unstable branch, sid, will have noticed that their systems haven't been updated over the previous few days. This is because one of the core Debian machines is unavailable.

Many people here use GNU Screen, and I've not seen extensive coverage of the things you can do with the status-line in the past, so I thought a brief overview of a couple of visual settings wouldn't be amiss. Read on for more details.

I'm a frequent user of vserver and I like to create fresh installations as quickly as I can, for packaging or test purposes mostly. Unfortunately there aren't many current images available for download. So I made my own.

If you're like me you want to know whats going through your home network. Here is how to use tcpdump, tcpflow and foremost to intercept and extract unencrypted files.

If you run a website and one people to be able to search it then installing a local spider to crawl your site and create a small database of your content which users may search is a relatively straightforward thing to do. Here we'll look at using mnoGoSearch - which is packaged for Debian and simple to install.

Have you ever had to make a one-line correction (or customization) in a big package? If so how did you manage it? The obvious way is to rebuild a package and serve it locally, but is there some other approach?

Egroupware is a webbased groupware suite with an impressive list of features. Egroupware uses a Mysql backend to store all it's data but the latest release makes it easy to store useraccounts in an LDAP tree. This documents describes how to install the latest version while using an LDAP backend for useraccounts. Egroupware can then manage the unix loginaccounts as well as samba login accounts.

Many people view serial ports as antiquated, out-dated connectors taking up space on their computers. However, serial ports still offer one of the best ways to communicate reliably and simply with a machine. For example, a serial port can be configured to act as a full-featured system console. This article describes how you can use cereal to monitor, log, and control access to serial lines connected to the consoles of other computers.

Imagine you have a machine with all of his disk full and another with unused Gigabits, and you don't want to move the data from one to other. Why not using the second's disk on the first, you can do it with iSCSI but you can do it with ATA over Ethernet (AoE) too. It's the second method I'll explain is this article.

For many years I've been configuring servers without firewalls, and generally find this a good way to do things. However several people have recently questioned my judgment on this manner, so I'm interested in hearing your thoughts.

Lots of us have many server to manage and we perform the same tasks on each of the machine every day, if you want to save time the package cssh will make you happy!

When a GNU/Linux machine runs out of physical memory it will start to use any configured swap-space. This is usually a sign of trouble as swap files and partitions are significantly slower to access than physical memory, however having some swap is generally better than having none at all. The size of swap allocated to files, or partitions, is usually chosen arbitrarily with many people adopting the "double the memory size" rule of thumb. Using a dynamic system can ease the maintainance of this size.

Daylight savings time in New Zealand has changed to start one week earlier than last year, but in order for your Debian or Ubuntu system to automatically do the right thing on September 30th, it will need to be updated. Fortunately this is easy for etch, Ubuntu feisty and later releases, as updated tzdata packages are available in their respective proposed updates repositories. However, the situation is more complicated for sarge, so this guide looks at a solution. This may be of future value to others who find their system's timezone data lags behind real world changes.

Debian shows the absolute path in the command prompt by default, and it can be really long, sometimes. This can take up valuable space in your shell windows.

The machine hosting this site is suffering from a failing disk, and will be shut down shortly so that a new drive may be fitted. Update: Migration complete.

Usually when you connect to a server remotely, via ssh, you'll be shown the "message of the day", the last time you logged in to the machine, and other details. Here's a simple way to disable that behaviour.

Have you ever wanted to play with a new distro without having to burn and then reboot into a liveCD or do an install into a spare partition that you may or may not have? QEMU has been an option for awhile but it is slow. There are several options available to run up a virtual machine, i.e. a second operating system running inside and seperate from your already running operating system. Here we will be focusing on kqemu and kvm.

Drupal is an excellent free software content management system, written in PHP. It's a good choice if you have to build a new site for non-technical users or customers, as both content editing and site administration can be done directly in the main site by authenticated users, and there's very little markup for those users to learn.

Many times I've found myself using Ctrl-R in Bash to get a old command four times the terminal width, just to find out that too many days have passed and it's no longer in the .bash_history file. Here are two lines that will keep track of every command line you type at the bash prompt and use no external processes at all, just plain bash.

There are times when you have a machine, or two, which is short of disk space and yet you have spare capacity elsewhere upon your LAN. For these times using a Network Block Device could come in handy. This allows you literally export files as block devices remotely.

There are many methods used to fight spam which are tied to particular mailserver implementations. This means that unless you're using that specific software you cannot take advantage of them. A simple means to adding additional anti-spam checks to your mailserver is to place it behind an SMTP-proxy. One common proxy is the extremely flexible qpsmtpd server.

Trying to insert 70.000 rules in iptables on a recent machine takes about an hour and going through these rules for each packet is even more of a burden. But iptables can send packets to userspace to be handled there. This article describes how to filter network traffic based on thousands of IPs with a new tool called nfqueue efficiently.

This article describes how to use the new tunneling features of OpenSSH V 4.3 to establish a VPN between two Debian or Debian-like systems. Note that by tunneling I am referring to layer-3 IP-in-SSH tunneling, not the TCP connection forwarding that most people refer to as tunneling.

A few days ago, HP unveiled the latest version of their LinuxCOE (Linux Common Operating Environment). In as few words as possible, LinuxCOE allows you to set up a web page where you can make customized GNU/Linux installation CDs that can install a Linux distribution without any human interaction. This is very handy if you often have a lot of PCs to set up with GNU/Linux, and it is especially useful if those PCs all have varying hardware characteristics (different hard drive sizes etc.). If you want to see LinuxCOE in action, check out Instalinux, which is powered by LinuxCOE, and generate your own CD immediately :)

This setup might have other uses which I haven't thought about, but this was the scenario I had. I was working with testing home gateways, DSL/Ethernet/fiber, and had a lot of them. In an ideal world I would have one computer for each device acting as a "regular home user's computer", but that would require space/cooling/whatnot. When the number of devices went above ten, that was not really a practical solution anymore. Instead I setup a bunch of vservers.

Yes! You can grow an encrypted partition, as long as the size of the underlying block device grows first. If you have an ext3 filesystem on the encrypted partition, you can even grow the (encrypted) filesystem without unmounting it. This article gives a brief overview of how it is done.

I was chatting with a colleague over IRC on Tuesday and he was complaining about the new update for Bind9 that broke his automatic blocking of ad servers. Naturally I was curious and asked him what he was talking about..

Advanced Micro Devices (AMD) developed a series of 64-bit extensions to their 32-bit RISC-based Intel IA-32 (i386) compatible processors. AMD sell their AMD64 (x86-64) architecture processors under a range of names: Athlon 64; Turion 64; Phenom; Opteron and Sempron (only the latest generation).

It is no secret that I'm a big fan of the open source Xen virtual machine hypervisor, and I've written several tools to make using it under Debian GNU/Linux more straightforward. Here we'll take a quick look at using xen-tools to easily create new Xen guest domains.

I use gpg and other associated OpenPGP infrastructure a lot these days, but it's taken me a long time to get up to speed with it. The growing use of gpg across the debian project (including the introduction of OpenPGP-signed APT repositories) has helped me immensely. I have friends and colleagues who use OpenPGP systems to varying degrees (including some not at all). Some of the folks who use it rarely (or not at all) are interested in learning more. I'd like to help the system spread, as i think it's the best infrastructure we have for seeing real decentralized, end-to-end cryptographic communications.

There's nothing like switching hardware architectures to make you realize one of the big advantages of free software: you can recompile all your free tools to use the new system. But what happens when you have a handful of non-free apps that were built for the old arch and you need to continue to be able to use them?

SSH is a must use tool for system administrators. However, residing access security on a human entered password is not very wise. Script kiddies may break into your system due to a lazy user with a weak password. And

One of my main goals for a managed infrastructure is to make sure I have consistent versions of end-user applications installed everywhere. My users aren't too picky about the version of xemacs installed, but they've got pretty stringent requirements on having a particular version of ANSYS, Abaqus, Fluent, Maple, Matlab, and other large non-free/no-source-available software packages. And they don't all agree on which version should be loaded, so I keep several loaded at once.

In our previous introduction to Puppet we covered installing the client and server, such that a small LAN could be configured centrally. Here we'll demonstrate some of the things that can be done with such a setup.

This must be a common problem, but I can't find the canonical solution. We have two identical machines running a few medium size websites. One is a production machine, the other is an identically setup machine used for development. We want to be able to deploy the development machine quickly in case of problems with the primary server - how should we go about that?

Puppet is a relatively new system configuration and management tool which can be used to administer a large number of machines. It is similar to CFEngine, but written in Ruby. In this introduction to working with Puppet we'll demonstrate how to install it, and use it upon a small LAN.

I am the administrator of a small computer lab, and I would like to automate the creation and initial setup of new user accounts - such that each new user can be given a printout of useful information and their account details. Is there some packaged software to do this simple job?

Since I bought my first amd64 system, I have been developing a solution to make the best of the new amd64 and the old x86 architectures work together. There are many documentation out there, but most are incomplete or obscure.

mutt is a well known and much loved mail client well suited to the efficient handling of a large volume of email. One of the things which makes it so powerful is its extreme flexibility and customisation options. The next-generation mutt package builds upon the core mutt with some additional features; most noticeably the introduction of a sidebar, which this article introduces.

When you're dealing with multiple drives, both fixed and removable, it can get hard to remember which is which. Remembering to mount /dev/sda1 in one place and /dev/sdc5 in another. The solution to this problem is to use labels instead of partition names when referring to them, and here we'll show how that can be done.

The ext3 filesystem is probably the most common filesystem used upon GNU/Linux machines. It isn't necessarily the fastest, the best, or the most modern filesystem but it does perform adequately for the majority of users.

There are several control panels available for Debian GNU/Linux which allow you to use a web-browser to manage virtual hosting for websites and email. If you're using one I'd love to hear why you chose it, what you like about it, and what is missing.

This article will explain how to create a chroot jail for bind8. This effectively makes bind oblivious to the rest of the (file)system beyond it's chroot directory tree. Therefore security will be increased, because if bind due to some crack attempt allows shell access one can not go beyond the chroot environment.

Bruteforce attacks shouldn't pose a real security risk to any server but are still annoying and clog up your logfiles. Many methods to block these break-in attempts exist, like BlockHosts, Fail2ban or rate-limiting incoming connections. However, on my search I also came across one tool for which I couldn't find an easy guide: geoip. geoip is a module for netfilter/iptables and allows you to filter packets based on the country they come from or go to. Following is a step-by-step guide on how to install geoip.

I'm just posting this to give advance warning that this site may be unavailable for parts of Saturday morning. Hopefully the downtime should be only a couple of hours at the most.
Update: Etch upgrade complete. No significant issues.

If you're responsible for creating the Debian packages of a piece of software which isn't in the Debian archives, or if you're a Debian-developer keen on keeping your package up to date you will need to be aware of any new software releases which should be packaged. Here we'll show a simple means of doing that.

I recently came across the grunt package which is designed to allow you to execute commands remotely, via the delivery of GPG-signed email. Since documentation is scant this introductory article was born.

The Debian Project is pleased to announce the immediate availability of their next stable release. Debian 4.0, codenamed Etch, was officially released today, after 21 months of constant development.

There are many times where it is useful to setup a small repository for apt-get to install packages from. The downside of placing such a repository in a publicly available place means that other people might start using it. Here we'll look at a couple of simple ways of restricting access.

Our team at LinuxForce recently put together a Debian server with LVM on a software RAID5 volume. This has been possible through complex installation procedures in the past, but today the Debian Etch installer is capable of handling such an installation if you follow the proper steps, which I outline in this article.

Last week, due to disk failure, we had to reinstall a server. This old workhorse has been serving numerous domains for the past 4 years and needed urgent maintenance. I made sure that I noted all the steps involved in implementing an Antispam & Antivirus filtering capable mail server when setting it up from scratch, and this article is the result.

A great way to improve security on your systems public services is to add an extra factor to your authentication scheme. Here we'll show what that means and how it works.

Over the past few years I've used the venerable XMMS application for playing back all my audio content. After reading recently that this project has been mothballed, seeing no future updates, I decided to try the successor project XMMS2. Here's how I got on.

Recently I was tasked with authenticating users who carry RSA SecurID tokens. I was highly inspired by Jeff Wirth and his success using RADIUS to authenticate with SecurID Tokens on FreeBSD. While I'm not a fan of non-free software, it's possible to make each server authenticate against the non-free RSA Ace server using only free software. This isn't a perfect solution but it's useful when such a requirement is thrust upon you.

There are a lot of times when it is useful to have a single shell script run both upon the local host, and also upon remote hosts. Here we'll show a simple trick which allows you to accomplish this easily.

Update: The project page hub for latest utilities is at Freshmeat.

One of the nice things about using Xen is that it doesn't require much setup to create new guests - just a loopback file or two, or an LVM partition. If you use NFS to store your remote systems you don't even need that. Here we'll give a quick example of booting Xen guests which will mount their root file-systems via NFS.

To download the source of a package contained inside a Debian repository, whether official, or unofficial, is a straightforward operation using the apt-get support for "source lists". However downloading a package source which is stored upon a remote webserver can be a little fiddly - requiring multiple files to be fetched before the source can be unpacked. Using the dget tool this can be easily automated.

When connecting to a new OpenSSH server for the first time you'll be prompted to accept its host key - but how do you know if it is valid? How do you manage SSH keys for multiple machines?

If you have multiple ethernet devices upon a system it is useful to make sure they are always given the device names that you expect. This can be useful when you're managing upgrades - or for situations where you accidentally setup a system with eth1 plugged into a switch rather than eth0.

MAC addresses are often taken for granted, things that nobody thinks about. However there are times when you do need to worry about them. Here we'll demonstrate how to view and change the MAC address of your Debian system.

Generating random numbers on a collection of machines can be a useful way of ensuring they don't all access a particular resource at the same time. (For example backup jobs to a central NFS server). However using truly random numbers can make things unpredictable - using a machine-specific delay can be the best solution.

If you've installed a Debian package upon a machine, but lost the binary archive, then it is difficult to copy that package to another machine. Thankfully is a simple solution for recreating a Debian package from an installed system.

PHP has a notorious security history, but web hosts have to provide it. Suhosin is a security patch that can be applied to change behaviour of the default PHP install in security related ways, and is now packaged in Debian Etch and Sid, with some of it built into the default PHP builds, and some available as an extra.

Here is how I wrote some code using Perl to automate controlling my router. I have a NETGEAR DG834 ADSL router and I wanted to control it via ifup/ifdown so, with the help of sudo, I can allow my home users to connect/disconnect to Internet from a debian box.

For those of you that may not know what unixodbc does, "ODBC is an open specification for providing application developers with a predictable API with which to access Data Sources. Data Sources include SQL Servers and any Data Source with an ODBC Driver." They include a text file driver as an example of a non-SQL source. Two examples are Asterisk and OpenOffice.org.

When you start working with Ruby on Rails applications you're probably content with using the integrated HTTP server, webbrick, for development. Once you're using them in production though you'll want something more capable. This is where mongrel comes in.

X authentication is based on cookies -- secret little pieces of random data that only you and the X server know... So, you need to let the other user in on what your cookie is. One way to do this is as follows:

I recently set up Xen 3.0.3 on Debian etch using the great guide here from this site. However, if (like me) you use the binary Nvidia X.org driver rebooting into your new XenLinux kernel your X.org server will fail to start. If you read its error output, you will see that this is because it cannot find the nvidia kernel module. Here we'll show how to fix things.

Sometimes your Debian box hangs, and for a strange reason, there is no debugging information printed on your screen. What options do you have?

Do you need your machines to automatically alert you when new packages are available? apticron might be just the package you've been looking for.

Debian makes heavy use of it's bug-tracking system for allowing users to inform developers which problem need fixing. However, it normally requires you to have a working MTA that connects to the Internet. This article shows that you can still report bugs even if you don't have a working MTA for any reason.

I wrote this article because I think that it will be useful for the people that are using Debian GNU/Linux as their home desktop and want to connect to the corporate LAN protected by CheckPoint VNP-1/NG VPN server.

Suppose you have an email account and a shell account on a Unix server. Furthermore, suppose that you yourself use a laptop and download your mail from the server by POP3 or IMAP, and send it via SMTP using the server as a smarthost. Now imagine that for some reason ( your dynamic IP, your geographic location, evil admins in your local network ) SMTP access is denied. What can you do?

KWLAN is a very handy network connections manager for the KDE desktop. The main features are auto-detection of multiple interfaces, ability to use wpa_supplicant wireless security, and scripts that run for each connection profile created.

I have set up a network with centralized user authentication through LDAP and access to home directories with NFS. I would now like to monitor user's connection time and usage, but across the network, rather than on a per-machine basis.

Using the hercules emulator it is possible to have your system emulate an IBM mainframe! Here we'll give a brief overview of using the emulator to install a pre-made image of Woody, giving you a Debian GNU/Linux S390 system.

Previous Archives