Monthly Archives: February 2011

Adjust Keyboard Console Layout for Ubuntu 10.10

In order to temporarily change the keyboard layout of an Ubuntu system, the following command from package kbd (aptitude install kbd) does the trick:

loadkeys {us|de|whatever suits you}

A permanent switch is done by reconfiguring console data:

dpkg-reconfigure console-data 

Unattended Security Updates in Ubuntu 10.10

In order to have automatic and unattended security updates in Ubuntu, one needs to install the according package:

sudo aptitude install unattended-upgrades

Due to a missing file in the Ubuntu 10.10 package, the file /etc/apt/apt.conf.d/10periodic needs to be created with the following content:

APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::RandomSleep "1800";

Also, change the first few lines of /etc/apt/apt.conf.d/50unattended-upgrades as follows so that only security updates are considered:

// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
//      "${distro_id} stable";
        "${distro_id} ${distro_codename}-security";
        "${distro_id} ${distro_codename}-updates";
//      "${distro_id} ${distro_codename}-proposed-updates";
};

It is vital to redo these setting after a global upgrade to a new distro release.

If configured correctly the following command should produce this output:

$ apt-config shell UnattendedUpgradeInterval APT::Periodic::Unattended-Upgrade 
UnattendedUpgradeInterval='1'

Prepping Ubuntu 10.10 for easy KVM-Setup

These are just the basic preparatory steps along with a list of necessary packages. Comprehensive howtos have to be found elsewhere.

Fist, one needs to check if the necessary hardware prerequisites for virtualisation in KVM are met:

egrep '(vmx|svm)' /proc/cpuinfo 

If there is no output, KVM can't be set up on that machine.

Nowadays, the simple command kvm-ok is available in recent Ubuntu releases and checks kvm compatibility of the available CPU.

Next step is to install the necessary packages:

aptitude install libvirt-bin kvm ubuntu-vm-builder virt-viewer virt-manager

Securing ssh Daemons from Brute-Force Attacks in Ubuntu

  • Install fail2ban:

    aptitude install fail2ban
  • Create local configuration:

    cd /etc/fail2ban && cp jail.conf jail.local
  • Edit /etc/fail2ban/jail.local and enable ssh-ddos by changing the according enable line to true

  • Restart fail2ban daemon:

    service fail2ban restart
  • Since Ubuntu version 10.04 rsyslogd is used; one of its default setting is to reduce the log output by compressing recurrent messages, which breaks the fail2ban-mechanism. Therefore, changing the following line in /etc/rsyslog.conf is vital:

    sed -i ‘s/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/’ /etc/rsyslog.conf
  • Restart fail2ban and rsyslog daemon:

    service fail2ban restart && service rsyslog restart 

Protection from unintended Reboots in Linux

Handling several servers in different concurrent ssh sessions can lead to confusion. This is explicitly dangerous when it comes to unintended reboots. Here, molly-guard jumps into place by adding a confirmation dialog to each reboot command that is executed from a remote shell.

You can install molly-guard in Ubuntu with the following command:

sudo aptitude install molly-guard

Quick & Dirty VoIP Conference Room

This note describes the quick & dirty setup of an VoIP conference room using Astisk PBX and Sipgate. Three files have to be adjusted accordingly:

sip.conf

[general]
canreinvite=nonat
nat=no
progressinband=yes
limitonpeers=yes
bindport = 5060
bindaddr = 0.0.0.0
context=incoming
qualify=no
callcounter=yes
allow=ulaw
allow=alaw
allow=g722
allow=g723
allow=g726
allow=gsm
srvlookup=yes
language=en
dtmfmode = rfc2833
register => <sipgate_username>:<sipgate_secret>@sipgate.de/<sipgate_phonenumber>
allowsubscribe=yes
notfiyringing=yes
notifybusy=yes
busy-level=1
fromdomain=<your_hostname>
;=========================
[sipgate]
context=conferencecontext
type=friend
insecure=invite,port
; nat=yes
username=<sipgate_username>
fromuser=<sipgate_phonenumber>
fromdomain=sipgate.de
secret=<<sipgate_secret>
host=sipgate.de
;qualify=yes

extensions.conf

[conferencecontext]
exten => <sipgate_phonenumber>,1,Goto(conf,1)
; uncomment in case recording is needed
; exten => conf,1,Set(MEETME_RECORDINGFILE=/tmp/conference-recording)
exten => conf,1,Meetme(1234,sr)
exten => conf,2,Hangup()

meetme.conf

[general]
[rooms]
conf => 1234,<conf_room_pin>

Quickly setup a new Root Server at Hetzner’s

Preparations in hetzner robot:

  • Activate rescue-system
  • Order automatic hardware reset
  • Login into rescue system and change password

Now, automatic setup can be done via installimage -c {configfile} where {configfile} contains the following:

DRIVE1 /dev/sda
DRIVE2 /dev/sdb
SWRAID 1
SWRAIDLEVEL 1
BOOTLOADER grub
HOSTNAME d0
PART swap   swap      8GB 
PART /boot  ext3       256M 
PART /      ext3      4GB 
PART /var   ext3      2GB 
PART lvm    vg0       all 
LV   vg0    kvm   /kvm    xfs   20G
IMAGE /root/.oldroot/nfs/install/../images/Ubuntu-1010-maverick-64-minimal.tar.gz

Output:

                Hetzner Online AG - installimage

  Your server will be installed now, this will take some minutes
             You can abort at any time with CTRL+C ...

         :  Reading configuration                           done 
   1/14  :  Deleting partitions                             done 
   2/14  :  Creating partitions and /etc/fstab              done 
   3/14  :  Creating software RAID level 1                  done 
   4/14  :  Creating LVM volumes                            done 
   5/14  :  Formatting partitions
         :    formatting /dev/md0 with swap                 done 
         :    formatting /dev/md1 with ext3                 done 
         :    formatting /dev/md2 with ext3                 done 
         :    formatting /dev/md3 with ext3                 done 
         :    formatting /dev/vg0/kvm with xfs              done 
   6/14  :  Mounting partitions                             done 
   7/14  :  Extracting image (local)                        done 
   8/14  :  Setting up network for eth0                     done 
   9/14  :  Executing additional commands
         :    Generating new SSH keys                       done 
         :    Generating mdadm config                       done 
         :    Generating ramdisk                            done 
         :    Generating ntp config                         done 
         :    Setting hostname                              done 
  10/14  :  Setting up miscellaneous files                  done 
  11/14  :  Setting root password                           done 
  12/14  :  Installing bootloader grub                      done 
  13/14  :  Running some ubuntu specific functions          done 
  14/14  :  Clearing log files                              done 

                  INSTALLATION COMPLETE
   You can now reboot and log in to your new system with
  the same password as you logged in to the rescue system.

Now you can reboot into your new system.

List Disks in OS X

A simple but useful command line to find out about hardware names of connected disks in OS X is:

diskutil list