Saturday, December 31, 2011

Seven ways to troubleshoot Ubuntu


Ubuntu strives to be suitable even for novice Linux users, but as with any operating system, problems will inevitably arise. Resolving issues with an unfamiliar OS can be daunting, but never fear. Plenty of resources exist to help get you back on the right track. Here are just a few ways to troubleshoot your Ubuntu desktop.
1. Use the online help. Clicking the question mark icon in the main menu bar will bring up Ubuntu’s extensive collection of formatted help documents. Use these to get up to speed with major features and applications.
2. Read the documentation. The Ubuntu developers maintain a documentation site athelp.ubuntu.com. The quality of the instruction varies, but it’s a good way to familiarize yourself with the day-to-day workings of a Linux desktop. If you prefer paper manuals, a growing list of volumes is available, including The Official Ubuntu Book, published by Prentice-Hall.
3. Join the forums. By and large, Linux is developed and supported by the open source community. Your fellow users are your first and best resource for answers and advice about your Ubuntu desktop. Become an active participant in the community discussions atubuntuforums.org, and ask your questions there. There’s a good chance that someone else has already experienced the same problems you have and has already begun the discussion -- use the search feature.
4. Search the Web. If the official forums can’t provide the answers you seek, by all means search elsewhere. Ubuntu’s popularity has inspired any number of enthusiasts to produce their own documentation and tutorial Web sites. Much of this advice is high quality.
5. Get paid support. Canonical, the company that maintains the Ubuntu Linux distribution, earns its money by offering enterprise-level support for Ubuntu users. You can purchase a 9-to-5 support contract for yourself or your business, or pay a little more to receive around-the-clock support. Contact Canonical Global Support Services for more information.
6. Enable the remote desktop feature. Under the System > Preferences menu you’ll find an option called Remote Desktop. With this enabled, IT staff (or your Linux-savvy friends) can use an application called a VNC (virtual network computing) client to view and control your PC remotely, in order to help diagnose and fix your problems. Just make sure your firewall is configured to let VNC connections in.
7. Make peace with the command line. Linux newbies dread the prospect of working with a text-based interface, but the command line prompt can be your best friend in a troubleshooting emergency. Although it’s similar to the old MS-DOS command shell, the Unix command line is more complex and also much more powerful. Once you’ve learned to use it, you’ll find that Linux is packed with hidden tools that get you back on your feet when the GUI fails you. A Web search will reveal a number of online tutorials to teach you the basics. To get started, you can access the command line in Ubuntu by launching the Terminal from the Applications > Accessories menu.

Downloading Debian CD/DVD images via HTTP/FTP


Official CD/DVD images of the stable release

To install Debian on a machine without an Internet connection, it's possible to use CD images (650 MB each) or DVD images (4.4 GB each). Download the first CD or DVD image file, write it using a CD/DVD recorder, and then reboot from that.
The first CD/DVD disk contains all the files necessary to install a standard Debian system.
To avoid needless downloads, please do not download other CD or DVD image files unless you know that you need packages on them.
CD
The following links point to image files which are up to 650 MB in size, making them suitable for writing to normal CD-R(W) media:
DVD
The following links point to image files which are up to 4.4 GB in size, making them suitable for writing to normal DVD-R/DVD+R and similar media:

Tuesday, August 9, 2011

Squid content filtering: Block / download of music MP3, mpg, mpeg, exec files


Squid content filtering: Block / download of music MP3, mpg, mpeg, exec files

Q. For security and to save bandwidth I would like to configure Squid proxy server such way that I do not want my users to download all of the following files:
MP3
MPEG
MPG
AVG
AVI
EXE
How do I configure squid content filtering?
A. You can use squid ACL (access control list) to block all these files easily.

How do I block music files using squid content filtering ACL?

First open squid.conf file /etc/squid/squid.conf:
# vi /etc/squid/squid.conf
Now add following lines to your squid ACL section:
acl blockfiles urlpath_regex "/etc/squid/blocks.files.acl"
You want display custom error message when a file is blocked:
# Deny all blocked extension
deny_info ERR_BLOCKED_FILES blockfiles
http_access deny blockfiles
Save and close the file.
Create custom error message HTML file called ERR_BLOCKED_FILES in /etc/squid/error/ directory or /usr/share/squid/errors/English directory.
# vi ERR_BLOCKED_FILES
Append following content:
<HTML>
<HEAD>
<TITLE>ERROR: Blocked file content</TITLE>
</HEAD>
<BODY>
<H1>File is blocked due to new IT policy</H1>
<p>Please contact helpdesk for more information:</p>
Phone: 555-12435 (ext 44)<br>
Email: helpdesk@yourcorp.com<br>
Caution: Do not include HTML close tags </HTML> </BODY> as it will be closed by squid.
Now create /etc/squid/blocks.files.acl file:
# vi /etc/squid/blocks.files.acl
Append following text:
\.[Ee][Xx][Ee]$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$
Save and close the file. Restart Squid:
# /etc/init.d/squid restart
Squid in action:

Sunday, August 7, 2011

Block Torrent Files on Squid Proxies


Block Torrent Files on Squid Proxies


squid-img"BitTorrent is a peer-to-peer file sharing protocol used for distributing large amounts of data. BitTorrent is one of the most common protocols for transferring large files, and it has been estimated that it accounts for approximately 27-55% of all Internet traffic (depending on geographical location) as of February 2009(see Wikipedia.org).

1. BitTorrent and Downloads

BitTorrent is a decentralized network to provide files of any size to other internet users. You may use BitTorrent as a powerful successor of FTP servers with the additional features (highly available download resources and contents are findable via search engines). E.g. the major Linux distributions are available via the BitTorrent network.
Beside these and other nice features there is a dark side that may be considered then providing internet access to employees or customers. A number of users are using the BitTorrent network to distribute contents for free by breaking national and international law. This is a problem that is not dedicated to BitTorrent but if you decide to restrict internet access for your users and you are running a Squid proxy server you may build up a basic barrier to prevent the download of torrent files containing meta data required for finding resources in the BitTorrent network.

2. Configure your Squid Proxy

To prevent your users to download torrent files, you have to add the following lines to your squid configuration file. The new rules will prevent users from downloading contents specified in a separate file called/etc/squid/extensiondeny.


acl extensiondeny url_regex -i "/etc/squid/extensiondeny"
acl download method GET
http_access deny extensiondeny download
http_access deny extensiondeny

The file  /etc/squid/extensiondeny will contain regular expressions. If one of these expressions matches the download request squid will veto and will not provide the requested contents. Example of a basic configuration entry.


\.torrent$
This regular expression will match file names with the extension '.torrent'.

Thursday, May 19, 2011

Port forwarding for iptables (DMZ)


If you have a network gateway which is running Linux you might sometimes want to allow access to machines behind it from the internet.
This is simple enough to do with iptables, which you will probably be using for the gateway's normal operation anyway.
Normally you'd deny all incoming connections to a gateway machine as opening up services and ports could be a security risk.
If you have a gateway machine and wish to forward connections on port 80 to an internal machine then you'd create the following rules:
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT
These two rules are fairly simple - the first says that all incoming tcp connections arriving destined for port 80 should be sent to the internal machine 192.168.1.50 (also on port 80).
This rule alone doesn't do the job though, we also have to accept the incoming connection. This is the job of the second rule which says that new connections on port 80 should be accepted on the external device eth1.
To increase security you could limit this forwarding to only work when connections are coming from a particular address with the use of the "--source" flag:
iptables -A PREROUTING -t nat -i eth1 -p tcp --source 11.22.33.44 \
--dport 80 -j DNAT --to 192.168.1.50:80

Wednesday, April 27, 2011

How to Reset debian Root Password

If you forgot your root password for your debian server use the following procedure to reset.
Boot to the GRUB menu. Then, press <e> (for edit) before Linux has a chance to boot.

Using your keyboard arrow keys, move the cursor down a line or so, and press <e> (for edit) again, you should now be on the kernel line, and press <End> to go out to the very end of that line. Now hit the spacebar once, if necessary, to add a space, and then add one of the folllowing:
init=/bin/bash
or
init=/bin/sh
Then press <Enter>, and you’re back at the kernel line, press <b> (for boot) and the computer will proceed to boot to a root prompt.
At this point, the root file system is still mounted read-only, so enter the following command:
mount -n -o remount,rw /
Then type:
passwd
Enter your new password. Retype if asked to confirm.
Then restart the machine by typing:
reboot
Now you should be able to login with your new root password as required.

Monitoring Debian Servers Using Monit

monit is a utility for managing and monitoring, processes, files, directories and devices on a UNIX system. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.
Monit Features
* Daemon mode - poll programs at a specified interval
* Monitoring modes - active, passive or manual
* Start, stop and restart of programs
* Group and manage groups of programs
* Process dependency definition
* Logging to syslog or own logfile
* Configuration - comprehensive controlfile
* Runtime and TCP/IP port checking (tcp and udp)
* SSL support for port checking
* Unix domain socket checking
* Process status and process timeout
* Process cpu usage
* Process memory usage
* Process zombie check
* Check the systems load average
* Check a file or directory timestamp
* Alert, stop or restart a process based on its characteristics
* MD5 checksum for programs started and stopped by monit
* Alert notification for program timeout, restart, checksum, stop resource and timestamp error
* Flexible and customizable email alert messages
* Protocol verification. HTTP, FTP, SMTP, POP, IMAP, NNTP, SSH, DWP,LDAPv2 and LDAPv3
* An http interface with optional SSL support to make monit accessible from a webbrowser
Install Monit in Debian
#apt-get install monit
This will complete the installation with all the required software.
Configuring Monit
Default configuration file located at /etc/monit/monitrc you need to edit this file to configure your options
Sample Configuration file as follows and uncomment all the following options
## Start monit in background (run as daemon) and check the services at 2-minute
## intervals.
#
set daemon 120
## Set syslog logging with the ‘daemon’ facility. If the FACILITY option is
## omited, monit will use ‘user’ facility by default. You can specify the
## path to the file for monit native logging.
#
set logfile syslog facility log_daemon
## Set list of mailservers for alert delivery. Multiple servers may be
## specified using comma separator. By default monit uses port 25 - it is
## possible to override it with the PORT option.
#
set mailserver localhost # primary mailserver
## Monit by default uses the following alert mail format:
From: monit@$HOST # sender
Subject: monit alert -- $EVENT $SERVICE # subject
$EVENT Service $SERVICE
Date: $DATE
Action: $ACTION
Host: $HOST # body
Description: $DESCRIPTION
Your faithful,
monit
## You can override the alert message format or its parts such as subject
## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
## are expanded on runtime. For example to override the sender:
#
set mail-format { from: monit@monitorserver.com }
## Monit has an embedded webserver, which can be used to view the
## configuration, actual services parameters or manage the services using the
## web interface.
#
set httpd port 2812 and
use address localhost # only accept connection from localhost
allow localhost # allow localhost to connect to the server and
allow 172.29.5.0/255.255.255.0
allow admin:monit # require user ‘admin’ with password ‘monit’
# Monitoring the apache2 web services.
# It will check process apache2 with given pid file.
# If process name or pidfile path is wrong then monit will
# give the error of failed. tough apache2 is running.
check process apache2 with pidfile /var/run/apache2.pid
#Below is actions taken by monit when service got stuck.
start program = “/etc/init.d/apache2 start”
stop program = “/etc/init.d/apache2 stop”
# Admin will notify by mail if below of the condition satisfied.
if cpu is greater than 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 200.0 MB for 5 cycles then restart
if children > 250 then restart
if loadavg(5min) greater than 10 for 8 cycles then stop
if 3 restarts within 5 cycles then timeout
group server
#Monitoring Mysql Service
check process mysql with pidfile /var/run/mysqld/mysqld.pid
group database
start program = “/etc/init.d/mysql start”
stop program = “/etc/init.d/mysql stop”
if failed host 127.0.0.1 port 3306 then restart
if 5 restarts within 5 cycles then timeout
#Monitoring ssh Service
check process sshd with pidfile /var/run/sshd.pid
start program “/etc/init.d/ssh start”
stop program “/etc/init.d/ssh stop”
if failed port 22 protocol ssh then restart
if 5 restarts within 5 cycles then timeout
You can also include other configuration files via include directives:
include /etc/monit/default.monitrc
include /etc/monit/mysql.monitrc
This is only sample configuration file. The configuration file is pretty self-explaining; if you are unsure about an option, take a look at the monit documentation http://www.tildeslash.com/monit/doc/manual.php
After configuring your monit file you can check the configuration file syntax using the following command
#monit -t
Once you don’t have any syntax errors you need to enable this service by changing the file /etc/default/monit
# You must set this variable to for monit to start
startup=0
to
# You must set this variable to for monit to start
startup=1
Now you need to start the service using the following command
#/etc/init.d/monit start
Monit Web interface
Monit Web interface will run on the port number 2812.If you have any firewall in your network setup you need to enable this port.
Now point your browser to http://yourserverip:2812/ (make sure port 2812 isn’t blocked by your firewall), log in with admin and monit.If you want a secure login you can use https check here
Monitoring Different Services
Here’s some real-world configuration examples for monit. It can be helpful to look at the examples given here to see how a service is running, where it put its pidfile, how to call the start and stop methods for a service, etc. Checkhere for more examples.