Monthly Archives: February 2011

Adjust Keyboard Console Layout for Ubuntu 10.10

In order to temporarily change the keyboard layout of an Ubuntu system, the following command from package `kbd` (`aptitude install kbd`) does the trick:

loadkeys {us|de|whatever suits you}

A permanent switch is done by reconfiguring console data:

dpkg-reconfigure console-data

Unattended Security Updates in Ubuntu 10.10

In order to have automatic and unattended security updates in Ubuntu, one needs to install the according package:

sudo aptitude install unattended-upgrades

Due to a missing file in the Ubuntu 10.10 package, the file `/etc/apt/apt.conf.d/10periodic` needs to be created with the following content:

APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::RandomSleep "1800";

Also, change the first few lines of `/etc/apt/apt.conf.d/50unattended-upgrades` as follows so that only security updates are considered:

// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
// "${distro_id} stable";
"${distro_id} ${distro_codename}-security";
"${distro_id} ${distro_codename}-updates";
// "${distro_id} ${distro_codename}-proposed-updates";
};

It is vital to redo these setting after a global upgrade to a new distro release.

If configured correctly the following command should produce this output:

$ apt-config shell UnattendedUpgradeInterval APT::Periodic::Unattended-Upgrade
UnattendedUpgradeInterval='1'

Prepping Ubuntu 10.10 for easy KVM-Setup

These are just the basic preparatory steps along with a list of necessary packages. Comprehensive howtos have to be found elsewhere.

Fist, one needs to check if the necessary hardware prerequisites for virtualisation in KVM are met:

egrep '(vmx|svm)' /proc/cpuinfo

If there is no output, KVM can't be set up on that machine.

Nowadays, the simple command `kvm-ok` is available in recent Ubuntu releases and checks kvm compatibility of the available CPU.

Next step is to install the necessary packages:

aptitude install libvirt-bin kvm ubuntu-vm-builder virt-viewer virt-manager

Securing ssh Daemons from Brute-Force Attacks in Ubuntu

- Install fail2ban:
~~~
aptitude install fail2ban
~~~

- Create local configuration:
~~~
cd /etc/fail2ban && cp jail.conf jail.local
~~~

- Edit `/etc/fail2ban/jail.local` and enable `ssh-ddos` by changing the according enable line to `true`
- Restart fail2ban daemon:
~~~
service fail2ban restart
~~~

- Since Ubuntu version 10.04 rsyslogd is used; one of its default setting is to reduce the log output by compressing recurrent messages, which breaks the fail2ban-mechanism. Therefore, changing the following line in `/etc/rsyslog.conf` is vital:
~~~
sed -i ‘s/RepeatedMsgReduction\ on/RepeatedMsgReduction\ off/’ /etc/rsyslog.conf
~~~

- Restart fail2ban and rsyslog daemon:
~~~
service fail2ban restart && service rsyslog restart
~~~

Protection from unintended Reboots in Linux

Handling several servers in different concurrent ssh sessions can lead to confusion. This is explicitly dangerous when it comes to unintended reboots. Here, molly-guard jumps into place by adding a confirmation dialog to each reboot command that is executed from a remote shell.

You can install molly-guard in Ubuntu with the following command:

sudo aptitude install molly-guard

Quick & Dirty VoIP Conference Room

This note describes the quick & dirty setup of an VoIP conference room using Astisk PBX and Sipgate. Three files have to be adjusted accordingly:

sip.conf

~~~
[general]
canreinvite=nonat
nat=no
progressinband=yes
limitonpeers=yes
bindport = 5060
bindaddr = 0.0.0.0
context=incoming
qualify=no
callcounter=yes
allow=ulaw
allow=alaw
allow=g722
allow=g723
allow=g726
allow=gsm
srvlookup=yes
language=en
dtmfmode = rfc2833
register => :@sipgate.de/
allowsubscribe=yes
notfiyringing=yes
notifybusy=yes
busy-level=1
fromdomain=
;=========================
[sipgate]
context=conferencecontext
type=friend
insecure=invite,port
; nat=yes
username=
fromuser=
fromdomain=sipgate.de
secret=<
host=sipgate.de
;qualify=yes
~~~

extensions.conf

~~~
[conferencecontext]
exten => ,1,Goto(conf,1)
; uncomment in case recording is needed
; exten => conf,1,Set(MEETME_RECORDINGFILE=/tmp/conference-recording)
exten => conf,1,Meetme(1234,sr)
exten => conf,2,Hangup()
~~~

meetme.conf

~~~
[general]
[rooms]
conf => 1234,
~~~

Quickly setup a new Root Server at Hetzner’s

Preparations in hetzner robot:

- Activate rescue-system
- Order automatic hardware reset
- Login into rescue system and change password

Now, automatic setup can be done via `installimage -c {configfile}` where `{configfile}` contains the following:
~~~
DRIVE1 /dev/sda
DRIVE2 /dev/sdb
SWRAID 1
SWRAIDLEVEL 1
BOOTLOADER grub
HOSTNAME d0
PART swap swap 8GB
PART /boot ext3 256M
PART / ext3 4GB
PART /var ext3 2GB
PART lvm vg0 all
LV vg0 kvm /kvm xfs 20G
IMAGE /root/.oldroot/nfs/install/../images/Ubuntu-1010-maverick-64-minimal.tar.gz
~~~

Output:
~~~
Hetzner Online AG - installimage

Your server will be installed now, this will take some minutes
You can abort at any time with CTRL+C ...

: Reading configuration done
1/14 : Deleting partitions done
2/14 : Creating partitions and /etc/fstab done
3/14 : Creating software RAID level 1 done
4/14 : Creating LVM volumes done
5/14 : Formatting partitions
: formatting /dev/md0 with swap done
: formatting /dev/md1 with ext3 done
: formatting /dev/md2 with ext3 done
: formatting /dev/md3 with ext3 done
: formatting /dev/vg0/kvm with xfs done
6/14 : Mounting partitions done
7/14 : Extracting image (local) done
8/14 : Setting up network for eth0 done
9/14 : Executing additional commands
: Generating new SSH keys done
: Generating mdadm config done
: Generating ramdisk done
: Generating ntp config done
: Setting hostname done
10/14 : Setting up miscellaneous files done
11/14 : Setting root password done
12/14 : Installing bootloader grub done
13/14 : Running some ubuntu specific functions done
14/14 : Clearing log files done

INSTALLATION COMPLETE
You can now reboot and log in to your new system with
the same password as you logged in to the rescue system.
~~~

Now you can reboot into your new system.

List Disks in OS X

A simple but useful command line to find out about hardware names of connected disks in OS X is:
~~~
diskutil list
~~~