Tuesday, May 26, 2009

Linux Mint 7 "Gloria" released

Today Linux Mint 7, codenamed Gloria, was released. I downloaded it and wiped my Ubuntu 9.04 installation on my desktop so I could install Mint. Thus far I am very happy. Overall, Linux Mint is a great distribution that is really easy to use an friendly to all users, but there are a few things about it that are just really silly.

For example, Mint includes Mozilla Firefox and Thunderbird. These are both great applications that I use extensively. But they come with extensions preinstalled that cannot be uninstalled. Or, in Firefox, the search box that appears to the right of the address bar defaults to a customized Google search that add additional ads at the top of each results screen. Granted, this is probably one of the ways that Linux Mint gets funding, but its something annoying to the user. I had to delete that search engine and then install the standard Google search from here.

My only other real gripe with it is the "fortunes" that appear in new Terminal sessions. These "fortunes" are humorous text based images with quotes. In Linux Mint 6, you were prompted during setup if you wanted these to be enabled or not. This version automatically enables them. They are disabled by opening /etc/bash.bashrc and commenting out or deleting the last line.

I do love how Mint includes additional repositories of easily installable goodness that Ubuntu does not. Instead of fetching the appropriate .deb installers, I could use the default repositories to install Songbird, a music player, and Opera, a backup web browser. Still no Truecrypt, though; I had to download that application from its website.

Mint uses its own custom Main Menu rather than the traditional GNOME three menu system. The last time I had Mint installed I switched over to the latter of the two, but this time around I think I'll stick with the Mint Menu. They did some work on it between the last release and this one and it seems really nice. Two thing I never noticed before is that you can uninstall packages or tell applications to start at login with a right-click. Very convenient.

Monday, May 25, 2009

Transmission 1.61 working!

I have been having trouble getting Transmission's bittorrent daemon working for a few versions now. Because of this, I have been using Transmission 1.51 for a time, however all torrents would stop when I disconnected my SSH connection from the machine. Today I successfully configured Transmission 1.61 on my Ubuntu server. I am running transmission-daemon 1.61 (8365) on Ubuntu 9.04 Server. This version of Transmission includes a startup script to restart the daemon if the computer reboots.

To be on the safe side, it is probably a good idea to completely uninstall any previous versions of Transmission from your computer. Do this by typing:
sudo dpkg -P transmission-daemon transmission-cli transmission-common
If you do not already have transmission installed then you can ignore this step. However, you will need to add the repositories so you can download it. Add this line to your /etc/apt/sources.list file:
deb http://ppa.launchpad.net/transmissionbt/ubuntu jaunty main
Run these commands to import the key used to sign the packages and to update the list of packages available:
gpg --keyserver keyserver.ubuntu.com --recv 976b5901365c5ca1
gpg --export --armor 976b5901365c5ca1 | sudo apt-key add -
sudo aptitude update
Now you're ready to rock; run these command to install Transmission:
sudo aptitude install transmission-cli
After doing this, I commented out the line for the Transmission repository so that my system won't break again from an update. Add a hash (#) character at the beginning of the line you added a few steps ago in /etc/apt/sources.list so it looks like this:
#deb http://ppa.launchpad.net/transmissionbt/ubuntu jaunty main
Now create a directory where you want to save downloaded files to. DON'T USE YOUR HOME DIRECTORY! I have my server installed on two partitions, one for / and one for /home. Since the /home partition is so much bigger, I put my download directory at /home/downloads. You can create that directory with this command:
sudo mkdir /home/downloads
The transmission-daemon doesn't run as process of your user, and it can be very dangerous to run processes as root so it runs as its own user called debian-transmission. Give control of your newly created downloads directory to the user debian-transmission with this command:
sudo chown debian-transmission:debian-transmission /home/downloads
Now its time to change some settings for the daemon. Shutdown transmission-daemon:
sudo /etc/init.d/transmission-daemon stop
Verify that no transmission-daemon processes are running with:
ps aux | grep transmission
You should get one line of output that says "grep transmission" at the end. If not, kill the extra processes. Now open /etc/defaults/transmission-daemon with a text editor. This requires superuser priviliges. To use the command line text editor VIM type:
sudo vi /etc/defaults/transmission-daemon
And if you want to use a GUI text editor type:
sudo gedit /etc/defaults/transmission-daemon &
Locate the line that reads:
OPTIONS="--auth --config-dir $CONFIG_DIR"
Change this line by inserting your own options. You see what the different options are by running:
transmission-daemon -h
This will print out the available options without starting the daemon up again. I changed the line on my system to look like this:
OPTIONS="--config-dir $CONFIG_DIR -T -L2000 -l500 -er -P51413 -w /home/downloads/"
transmission-daemon by default listens on TCP port 51413 for incoming connections but I recommend you that change it. Save and close that file.

Now you can startup the daemon again:
sudo /etc/init.d/transmission-daemon start
Happy downloading.

Hacked Facebook accounts

This morning I received Facebook messages from two different people containing links to a phony Facebook login page. My guess is that their accounts were compromised due to weak passwords and carelessness about their personal privacy. It still disappoints me that Facebook does not use encryption on their site, meaning that all data transferred, including page content and passwords, are sent in the clear. You can force encryption at the login page by appending an "s" after the "http" in the address, as I have done here:
https://www.facebook.com

Sunday, May 24, 2009

Configure vsftpd in CentOS

FTP is an old and insecure file transfer protocol but still sees wide use. FTP uses a client/server model in which an FTP server listens for connections from an FTP client. Depending on the configuration of the server, file transfers can occur in both directions. By default, FTP servers listen on TCP port 21. This is the port used to establish connections. The actual file transfer will occur over a different port.

FTP operates in two moves, active and PASV (pronounced "passive"). In active mode, the client dictates the port to be used for the file transfer whereas in passive mode, the server chooses the port to use. This distinction is important for port forwarding and fire walling.

vsftpd is an FTP server daemon for *nix systems. It was built with speed and security in mind. This daemon is included with CentOS, among other distributions, and should be included in the repositories for most systems. There is an option that allows each user on a system to authenticate using their Unix login and have FTP access to their home directory. This is very dangerous. Let me repeat that: This is very dangerous.

Using FTP, everything is transmitted in cleartext; all data, connection requests, usernames, and passwords are send insecurely. By allowing users to log into the FTP server using their Unix login that password is compromised. Solutions to this are to replace FTP with FTPS (FTP over SSL/TLS) or SFTP/SCP (file transfer over SSH). For those file transfers in where security is not important, FTP is a convenient solution.

On my CentOS server, I configured vsftpd to allow for anonymous read access. To conduct this setup, first you must assume superuser priviliges. The vsftpd config files are located in /etc/vsftpd. Before changing anything, make a copy of the applicable files:
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.original
Now open the file at /etc/vsftpd/vsftpd.conf with a text editor and locate these two lines:
local_enable=YES
write_enable=YES
Change them to read:
local_enable=NO
write_enable=NO
Now add these lines at the end of the file:
pasv_enable=YES
pasv_min_port=7090
pasv_max_port=7099
This will enable passive transfers and establishes a 10 port range over which file transfers may occur. I just arbitrarily chose this port range. You can really use any range not already in use by another service on your network. You will need to add this port range plus port 21 to your firewall exceptions. Not sure how to do this in CentOS with iptables? Check out this post.

Files you want to distribute via your new anonymous FTP server should reside in /var/ftp/. To start vsftpd, type this:
/sbin/service vsftpd start
If you want vsftpd to start with the system whenever it boots, type:
/sbin/chkconfig vsftpd on

A problem with Safari 4

I just read something of a disturbing article about the whole mess of crap that Apple's Safari 4 leaves in its wake. The author makes good points about wasted hard disk space and the privacy implications. On my Mac, one of the locations he sites is slightly different, with the three places of interest for me being:
  1. ~/Library/Caches/Metadata/Safari/History/
  2. ~/Library/PubSub/Feeds/
  3. /private/var/folders/Gv/GvY9b27uGaWWJ9oSwMEg5U+++TI/-Caches-/com.apple.Safari/Webpage Previews/
You can clear all of this crap out manually by opening Safari and going to the menu bar and choosing
Safari > Reset Safari...
The "Reset Safari" option box will pop up. Check off all of the options and click the "Reset" button at the bottom. This will clear out all of the junk Safari leaves behind. Since Safari is not my primary web browser, I tend to use this feature probably every week or so. Another reason to use Firefox I suppose.

If you don't want to reset all of your content in Safari, running these three commands will handle all of the junk it leaves on your system:
rm -rf ~/Library/Caches/Metadata/Safari/History/*
rm -rf ~/Library/PubSub/Feeds/*
rm -rf /private/var/folders/Gv/GvY9b27uGaWWJ9oSwMEg5U+++TI/-Caches-/com.apple.Safari/Webpage\ Previews/*

Saturday, May 16, 2009

Configure iptables in CentOS

Iptables is a powerful firewall program for Linux systems. It is bundled along with some distributions, among them being RHEL and CentOS. These distributions also include a nice easy to use GUI application for managing firewall rules. For those systems running without a GUI, the CLI client is very much a pain to use. I spent some time recently going through this iptables tutorial and have come up with a configuration script.

Iptables is a rule based firewall. It uses three different rule sets for managing traffic:
  1. Incoming traffic
  2. Outgoing traffic
  3. Traffic to be forwarded elsewhere
The traffic to be forwarded elsewhere rule set is for if your Linux computer is configured as a network gateway. For most uses, the only rule set to really focus on is the one governing incoming traffic.

For each packet the computer handles, it will determine which rule set applies to it and will proceed to read through the list of rules until it finds one that applies to that packet and will do the corresponding action. This is why it is crucially important where a particular rule is placed. If the first rule for the firewall is to allow all traffic and the second rule is to block traffic on a certain port, then all traffic is going to come through, including the traffic on the port that is meant to be blocked.

Manipulating iptables requires superuser privileges. This can be achieved either by using the su program to become root or by using the sudo command. Don't have sudo powers? Look at this post.

Iptable can be started/stopped/restarted using either of the following two commands:
/etc/init.d/iptables [command]
- or -
/sbin/service iptables [command]
The options for [command] are either start, stop, or restart. The service command above is really just a shell script that calls /etc/init.d/ so they do exactly the same thing. You get to use whichever you prefer.

When configuring iptables it was suggested in the tutorial I found to create your own rule sets from scratch rather than trying to modify the existing one. I did this and it has worked out very well for me so far. All of my rules go into a script that I edit and run whenever I want to make changes to the rules so that I do not have to edit the config file manually.

My iptables setup script

Check file or directory size in Linux

If you want to see how large a particular file or directory is, try the du tool. Here is the syntax:
du -sh [file1] [file2] ... [filex]
The output of this will appear as two columns of information, the first containing the size and the second containing the name of the file. Since in Unix everything, including directories is a file, you can put the name of a directory in as an argument too. If you do, the disk usage numbers will be recursive into those directories. Leaving off the -s option will list each subdirectory and its respective size as well. The -s option aggregates these all into one entry identified by the top directory. The -h option makes the sizes human readable.

Check disk usage in Linux

If your Linux system is anything like mine, there are regularly partitions being mounted and unmounted and space always seems to be an issue. To quickly see what partitions are mounted to the system, what their mount points are, and what their capacity, amount used, and amount left are use this command:
df -h
This will list all of the above mentioned information in a nice and easy to understand manner. The -h option makes the the size information human readable. Without it, you get the sizes in the number of blocks. With it, you get the size in kilobytes, megabytes, etc.

RHEL/CentOS CLI headaches

CentOS, and I would imagine RHEL as well, do not automatically include all of the program directories in the PATH variable by default like so many other distros do. For example, in CentOS, if you want to run the ifconfig program to check your IP address, you have to type this:
/sbin/ifconfig
The reason for this is because the /sbin directory is not assigned to the PATH variable. This has caused me unnecessary aggravation. There are a few ways to deal with this. First is with the which command. Run this command:
which ifconfig
The output should say: "/sbin/ifconfig". You can use the which tool to locate command line utilities so if they are not assigned to the PATH variable you will be able to specifiy their full location in order to run them.

There is also a more permenant solution; add this line to your ~/.bashrc file:
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
Now restart your Terminal session and you will have all of those additional directories included in your PATH variable and won't need to specifiy the full location of their contained programs. To enable this for all users, add the line to the file located at /etc/profile. You need superuser privledges to edit that file.

Friday, May 15, 2009

Use rsync for backups and file syncing

Rsync is a fantastic and powerful tool for Unix based systems for transferring files between locations. This makes it useful for backups as well as file synchronization. Rsync uses SSH for communications, making it encrypted and secure. Additionally, there is an rsync daemon for automating this activity. Rsync is also incremental, so any files in the originating location already present in the destination will be skipped to save time and bandwidth. Rsync is included with Mac OS X, Linux, and is available for Windows via Cygwin.

Here is the syntax for a typical rsync file transfer:
rsync -avz path/to/local/dir [username]@[remote machine]:/path/to/remote/dir
The -v and -z options make the file transfer verbose and enable the use of compression, respectively. The -a option stands for archive, which is a shortcut for a whole bunch of other options which will make the transfer recursive into directories, copy symlinks as symlinks, preserve file permissions, modification times, owner (if root), group, and device files (if root). If you want, you can have the file transfer occur between two locations on the same computer or between two remote computers.

When I recently transferred my music library between my Mac laptop and Linux desktop, the rsync command I used looked something like this:
rsync -avz --delete --exclude '.DS_Store' ~/Music me@192.168.x.x:~/Music/
The --delete option will delete any files at the destination that are not also present at the original location. The --exclude option will not transfer those file that match the specified pattern. In this case, I didn't want to transfer the annoying Mac .DS_Store files.

I kept getting an error when I tried this going from my Mac for a while. It turns out that the problem was the custom greetings I had set up in my .basrc file on the destination machine. To see if this is causing you problems, run this command:
ssh [username]@[remote machine] echo 2>/dev/null
The result of this command should be blank space. If you are getting any text at all as output, this includes any greetings, you need to disable them.

Determine your default gateway in Linux

Need to find out what your default gateway address is in Linux? Using the route program you can manipulate your Linux computer's internal routing tables and print out the current settings. Use this command to see your default gateway:
route -n
This will print out several columns of information. The second column should have a heading that reads "Gateway." The bottom entry in that column is the default gateway. If you leave the -r option off of the the route command it will assign applicable host names to those addresses that it can.

This is just one function of the route program. Check out the manual pages for more details of what you can do with route.

Wednesday, May 6, 2009

Grant sudo powers in RHEL/CentOS

Running as Root all the time is a dangerous tactic in a Unix based system, yet some commands can only be executed with superuser privileges. The sudo command allows a regular user to run selected commands with superuser privileges. This feature is included by default in Red Hat Enterprise Linux and CentOS systems, but it takes an extra step to get it working.

First you need to gain superuser privileges. Next, open the file located at /etc/sudoers. You need to locate the line that reads:
# %wheel ALL=(ALL) ALL
Now uncomment it by removing the hash mark (#) from the beginning of the line so it looks like this:
%wheel ALL=(ALL) ALL
Save a close the file. Now anyone who is a member of the wheel group will be able to use the sudo command. To add a user to this group, gain superuser priviliges and run this command:
/usr/sbin/usermod -aG wheel [username]
This will add the specified user to the wheel group, allowing that user to use the sudo command.

Unix Bang and Bang Bang shortcuts


The Unix Bash shell is an incredibly powerful tool. It even has built in shortcuts to make your life easier. One of these such shortcuts is called bang. The bang shortcut is executed using the exclamation point character (!). Bang is used to search backward through your Bash history until it finds a command that matches the string that follows it and executed it. For example:
!cat
This will search backward through your history until it finds a use of the cat command. It will then execute that command that uses cat. This can be useful if it was a long command and you don't want to retype it. To get a look at your history, use the history command:
history
Bang also has a feature to let you check the command it finds before executing it. Use this syntax instead:
!cat:p
Now bang will search back through your history for the use of the cat command like before, but instead of executing that command, it will print the command for you to look at. That's not all though, it will also copy that command it found to the end of your history. This is useful because if you do want to execute that command you can now use the bang bang shortcut to run it.

When a command with the bang bang shortcut is executed, the bang bang characters are replaced with the last command from the history. For example:
!cat:p
!!
This will search for the the recent appearance of the cat command, print that command to the console, and copy that command to the end of the history. The bang bang command will then run that command containing cat. Bang bang can also be used with other Bash tools, like pipe and grep, for example:
!cat:p
!! | grep "hello"
Here, the most recent command containing cat is printed and copied to the end of your history. Then, that command is executed with its results being piped into the grep command, which has been specified to print those lines containing the string "hello".

By far my favorite use of the bang bang is a trick that's been used by command line junkies for years. This is the sudo bang bang shortcut. Ever run a command only to have it fail for lack of superuser privileges? Instead of retyping the whole command with sudo or even pressing the up arrow and scrolling back to the beginning of the command to type sudo, you can just type this:
sudo !!
I hope you find these tricks useful.

The image above comes from here.

Tuesday, May 5, 2009

Install KeePassX in Ubuntu

A couple of months ago I wrote about managing passwords securely using the free and open source KeePassX. I am still using it and loving it and today I installed it on my desktop running Ubuntu (Kubuntu right now). The process is relatively simple but there is a step their website could do a little better with. Start by adding these lines to your /etc/apt/sources.list file:
deb http://ppa.launchpad.net/keepassx/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/keepassx/ppa/ubuntu jaunty main
Next, you need to import the key used to sign the packages. This is the part that the KeePassX website doesn't provide. Run these commands:
gpg --keyserver keyserver.ubuntu.com --recv-keys 78414460095F1873
gpg --export --armor 78414460095F1873 | sudo apt-key add -
Now for the installation:
sudo aptitude update
sudo aptitude install keepassx
And that's all there is to it.

Monday, May 4, 2009

Switch between GNOME and KDE in Ubuntu

In the open source world, there are two main desktop environments, GNOME and KDE. Some other options out there are also XFCE and Fluxbox. Ubuntu comes with GNOME installed as the default desktop environment. There are other versions of Ubuntu, also produced by Canonical, that use some of the other environment. Kubuntu uses KDE and Xubuntu uses KFCE.

I recently installed the latest version of Ubuntu and since virtually all of my Linux desktop experience has been with GNOME, I thought I would give KDE a try. Ubuntu makes it easy to try this out, type this at the Terminal:
sudo aptitude update
sudo aptitude install kubuntu-desktop
This is a fairly hefty install, but assuming you have broadband it shouldn't take too long. During the installation process you will be prompted if you want to use GDM or KDM as your default environment. GDM is the existing GNOME and KDM is the new KDE. Pick whichever you want to be the default when you log in.

After running the installation I saw a system notification telling me there were some updates available and it turns out most of them were for the just installed KDE environment so you should also probably check for updates too. Weird that these wouldn't be included along with the installation but oh well. Type this to install all available updates:
sudo aptitude update
sudo aptitude full-upgrade
Now your new KDE environment should be ready to go. In order to use it, you will have to log out, change environments, and log back in. So go ahead and log out. Click the options button at the bottom left corner of the screen and choose the "Select Session" option. A menu full of radio button will pop up. The selected option is probably "Last session." Choose the one for KDE and click the "Change Session" button. After logging in, you will be prompted whether or not you want to make KDE the default for future sessions or if you just want to use it for this session. Pick whichever you'd like.

After you log in you'll notice that there are some additional applications installed as well. Certain applications are written specifically for KDE and certain ones are written specifically for GNOME. You can install and run them on systems that are running the other environment, they just require some additional dependencies to work correctly. Now you get to have them all.

If later on you decide KDE is not for you and you want to remove it, just run this command:
sudo aptitude remove kubuntu-desktop
Conversely, if you decide you love KDE and want to ditch GNOME for good, run this:
sudo aptitude remove gnome-desktop
As for me, I have plenty of hard disk space on my desktop so I'll probably keep both around regardless of which I decide I like better.

Sunday, May 3, 2009

New repositories for Moblock

Well I rebuilt my Linux server with Ubuntu 9.04 Server edition. So far everything is very similar to 8.10 however I noticed that there are different repositories for Moblock now. I detailed installing and using Moblock here. Add these lines to your /etc/apt/sources.list file:
deb http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/jre-phoenix/ppa/ubuntu jaunty main
Next you need to import the key to verify the signatures of the packages. If you already have Moblock installed you will need to disable it in order to make contact with the key server. Weird I know, go figure. Turn Moblock off with:
sudo blockcontrol stop
Now run these two commands to import the key to verify the signatures on the packages:
gpg --keyserver wwwkeys.eu.pgp.net --recv 9C0042C8
gpg --export --armor 9C0042C8 | sudo apt-key add -
Now update your local version information:
sudo aptitude update
If you are installing Moblock for the first time use this command:
sudo aptitude install moblock
If you are updating from a previous version, use these commands:
sudo aptitude full-upgrade
sudo blockcontrol start
Other from these changes everything should be the same from my previous post.

Jaunty Jackalope Installation

On April 23 Canonical released Ubuntu 9.04, Jaunty Jackalope. I installed it that night and have been playing with it ever since. I replaced by existing installed Linux system on my desktop, which was Linux Mint 6, with this latest Ubuntu release. From my standpoint, there are two main advantages to this newest release. First is getting to use the EXT4 file system. I have been eagerly awaiting this because the benchmarks I have seen for it makes EXT3, which I had been using, look positively slow. The other thing about this release is that it is extremely polished from a user interface standpoint.

After installing the first thing to do is install the available updates:
sudo aptitude update
sudo aptitude full-upgrade
All my hardware drivers were detected and installed automatically except for the nVidia graphics card and Creative sound card. The resticted drivers manager picked out a graphics driver for me to use and upon reboot I has desktop effects ready. I had to download my sound driver from Creative's website and compile from source which proceeded without any hiccup.

I detailed here about how to configure Ubuntu's firewall. I also installed a GUI for it which comes preinstalled with Mint. What gives Ubuntu? Here's the command to install it:
sudo aptitude install gufw
Ubuntu does not come with a lot of codecs preinstalled, unlike Mint. Installing them is easy however:
sudo aptitude install ubuntu-restricted-extras
Here are some of the other packages I installed:
build-essential (C and C++ compiler)
checkgmail (Gmail notifier)
ssh (full SSH package, including the server)
filezilla (FTP/SFTP/FTPS client)
vlc (media player to replace the included Totem)
sunbird (calendar application from Mozilla)
iptraf (console based bandwidth monitor)
sun-java6-jdk (Java SDK and runtime)
simple-ccsm (Compiz desktop effects manager)
I had to go to GetDeb.net to find a Songbird installer. Songbird is included in the repositories for Mint but not in Ubuntu yet.

All in all I have very happy with Ubuntu thus far. This release is so good it makes me impatient for the next release of Linut Mint.