Category Archives: Server

A series of Posts that involve the entire process of setting up a file server using Ubuntu Server 12.04. Covering installing the OS, LAMP stack, Samba for file sharing with Windows machines, OwnCloud for personal cloud storage.
Also covered is waking the server using wake-on-LAN and using a CRON job script to automatically shut down the server when idle. Thrown in are some educational pieces and tips on utilities. Plus how to backup MS machines to the server by waking it up and performing the backup and then allowing the machine(s) to shutdown.

Samba and Linux Mint

In my original post on Samba I covered a lot of basics. Recently I learned a bit more using Linux Mint. In Mint Samba is already loaded in the process of installing the OS. I remembered that I had to add all the computers to the same workgroup to get Linux and Windows to play together. But I couldn’t get two Mint machines to work via Samba. Name resolution was the issue.

I kept getting a “Failed to Retrieve Share List from Server” error. I was able to move files from a Mint machine to the Windows machine and then to the other Mint machine. The only thing I had to do is open up permissions on the folder to let Samba write to it. I used the Public folder under the /home/user directory. I would think that adding Samba to my user group would also work, I have checked into this and this is the answer I find…

http://unix.stackexchange.com/questions/206309/how-to-create-a-samba-share-that-is-writable-from-windows-without-777-permission

 

I did install Winbind thinking that it might help out. Windows machine can see Public folder, go into it and read and write with 777 permissions on it.

winbind is a component of the Samba suite of programs that solves the unified logon problem. Winbind uses a UNIX implementation of Microsoft RPC calls, Pluggable Authentication Modules (PAMs), and the name service switch (NSS) to allow Windows NT domain users to appear and operate as UNIX users on a UNIX machine.

https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html

 

I started with this post which got me sort of there…

Samba Basic – Lesson 1: Samba Simply

https://community.linuxmint.com/tutorial/view/672

 

Name Resolution with Samba

http://www.oreilly.com/openbook/samba/book/ch07_03.html

How to Fix ‘Failed to Retrieve Share List from Server’ in Ubuntu 12.04 / 11.10 when File Sharing with Windows

How to Fix ‘Failed to Retrieve Share List from Server’ in Ubuntu 12.04 / 11.10 when File Sharing with Windows

 

Using mount with bind to access usb drive via vsFTP

I have a USB stick plugged into my Raspberry Pi for external storage, mostly to put music on for the Sockso Music Server to get at. But I wanted to use it a bit more for generic storage. FTP is great, you can get to it from any machine and the command line for it is the same on Win or Linux. So I can walk up to any machine, not have to install a thing and reach into a folder with FTP.

For instance, I have an infected Windows Machine, I don’t dare stick a USB stick in it. Instead I go to the command line, ftp to the Raspberry Pi and grab the tools I need from there.

The Issue

The issue was that I tried to symlink from the ftp directory to the USB drive. vsFTP will not follow symlinks for security reasons.

The Solution

Mount the directory you want under the FTP directory using bind. /media/sda is the USB stick mount point and the whole thing gets mounted under the FTP dir using…

sudo mount --bind /media/sda/ /home/ftpuser/usb-drive/

Resources

FTP on Raspberry Pi. An easy way to make shared folders

Alternatives to FTP

https://radu.cotescu.com/vsftpd-and-symbolic-links/

Sockso Music Server on Linux

The Sockso Music Server is very functional and quite easy to set up in standalone or daemon mode. It is cross platform as it only depends on a Java runtime environment being installed on the target computer.

Recently I loaded it on my desktop which runs Lubuntu 14.04. I tested it out on the desktop before loading it onto my Ubuntu  server PC, which holds my music repository.

  • I will outline installing the Java run time environment needed to run Sockso on an Ubuntu machine
  • The Sockso install procedure
  • Getting it to run as a daemon
  • Getting it to find your music
  • At the bottom of the page I will have some links to resources that I followed and will provide information for running Sockso on other platforms.

The Sockso install procedure

It is not so much an install like compiling/installing, apt-get or adding a package. It is a simple old school download and drop files in a directory install.

  1. Download the Sockso zip file.  You can do steps 2 and 3 while waiting for  the download!
  2. Create /usr/share/sockso directory as root or via sudo so all files are set to root:root. ( sudo mkdir /usr/share/sockso )
  3. Create Sockso data directory /var/sockso as root or via sudo. ( sudo mkdir /var/sockso )  If sockso is terminated uncleanly, the files in this directory can get corrupted and it will need to be rebuilt
  4. Extract the files to /usr/share/sockso/ ( sudo unzip sockso-1.5.3.zip -d /usr/share/sockso/ ) I am not 100% on my unzip usage, so this command actually made a sockso-1.5.3 folder under /usr/share/sockso. Then I needed to use sudo mv .. to move all the files and dirs up one level.

 

Install Java

On my server that runs headless I performed the following after I typed in java on the command line and it told me that it was missing. It usually resides at /usr/bin/java in a Debian/Ubuntu type of file system. If it is installed it will dump out a help file. Using the command which java will also tell you if it is installed…

The program 'java' can be found in the following packages:
 * default-jre
 * gcj-4.6-jre-headless
 * openjdk-6-jre-headless
 * gcj-4.5-jre-headless
 * openjdk-7-jre-headless
Try: sudo apt-get install <selected package>

I went for version 6 headless for starters. I am not sure what the difference between all the versions are, but version 6 worked for me.

erick@ubuntuserver:/tmp$ sudo apt-get install openjdk-6-jre-headless
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  ca-certificates-java icedtea-6-jre-cacao icedtea-6-jre-jamvm java-common
  libnspr4 libnss3 libnss3-1d openjdk-6-jre-lib tzdata-java
Suggested packages:
  default-jre equivs libnss-mdns sun-java6-fonts ttf-dejavu-extra
  fonts-ipafont-gothic fonts-ipafont-mincho ttf-wqy-microhei ttf-wqy-zenhei
  ttf-indic-fonts-core ttf-telugu-fonts ttf-oriya-fonts ttf-kannada-fonts
  ttf-bengali-fonts
The following NEW packages will be installed:
  ca-certificates-java icedtea-6-jre-cacao icedtea-6-jre-jamvm java-common
  libnspr4 libnss3 libnss3-1d openjdk-6-jre-headless openjdk-6-jre-lib
  tzdata-java
0 upgraded, 10 newly installed, 0 to remove and 5 not upgraded.
Need to get 44.2 MB of archives.

 

…and so on as it installed.

Reading Java Version

If you already have java and want to view the version…

java -version

…will get you the version, such as listed on my desktop PC…

erick@Precision-WorkStation-530-MT:/var/sockso$ java -version
java version "1.7.0_91"
OpenJDK Runtime Environment (IcedTea 2.6.3) (7u91-2.6.3-0ubuntu0.14.04.1)
OpenJDK Client VM (build 24.91-b01, mixed mode, sharing)

Test run

Before making it run as a daemon I wanted to test drive it. So the following command will start it up…

sudo sh /usr/share/sockso/linux.sh --nogui --datadir /var/sockso

When you terminate it, try to shut it down clean via a sigterm when you kill the process. I have read that killing it uncleanly can screw up the data directory ( /var/sockso ). Then you have to empty the directory and rebuild it’s contents. I haven’t had it screw up the directory yet.

Running Sockso as a daemon

Running Sockso as a daemon is an advantage when you are running on a server. It will startup when the machine starts and the machine will take care of closing it down cleanly upon shutdown.

Perl script for running sockso as a daemon

After moving the Sockso files to the proper location there will be a Perl file at /usr/share/sockso/scripts/init.d/sockso

Copy the sockso run file written in perl from…

 /usr/share/sockso/scripts/init.d/sockso

…to…

/etc/init.d/sockso

…using…

sudo cp /usr/share/sockso/scripts/init.d/sockso /etc/init.d/sockso

 

Edit the file and change the directory at the top of the file to point to where sockso is installed ( /usr/share/sockso ).

Also make it executable.

sudo nano /etc/init.d/sockso

sudo chmod +x /etc/init.d/sockso

Now that it is in the init.d directory, the following should work…

sockso (start|stop|restart)

Remember to change the directory at the top of the sockso to point to the /usr/share/sockso dir.

 

Starting Sockso on boot

Follow the Steps 4,5,6 on this blog post…

https://samiux.wordpress.com/2009/07/17/howto-sockso-1-1-8-music-server-on-ubuntu-9-04-server/

I have a copy here as a PDF –> sockso-start-on-boot , just in case the link above disappears.

 

Sockso Command Prompt

Sockso comes with it’s own command prompt to administer it. help will list the commands. You can use the Sockso command line to add music to Sockso’s collections, add and delete users and perform other maintenance to it.

There is also a management webpage where you can perform the same functions as via the command line.

Finding Music

There is a command line mode for sockso where you can point it to certain directories to index music from.

Run sockso to bring up it’s command line. At it;s command line use coladd and then the path to the folder that your music is in to add it. It takes a while to do this, it is indexing it into a database so be patient. You can add multiple directories into it’s collections. If you add music to a directory in the collection, sockso will find it and add it. By default it scans directories in it’s collections every 30 minutes. I’ve tested it and it is pretty cool, dump in some music and a little while later, it’s there like magic.

coladd /home/username/Music

collist will list all the collections. coldel deletes collections.

colscan will force a scan for new collections that have been added.

Symbolic Links to Music Folder

The sockso coladd command has issues with spaces in directory names. What I have done is made a bunch of symbolic links using ln -s directory of music directory-of-music. This makes it easy to see where all the music is and sockso just has to deal with my Music directory and if I add or remove music it will figure it out on it’s own. I show an example below in the Raspberry Pi section.

Sockso on Raspberry Pi

I just ( April 2016 ) installed Sockso on my Raspberry Pi. I got the idea of sticking a USB stick into one of it’s open ports and dump my music repository on it. Them with sockso I can get to it whenever I want. Previously I had it set up on my main server that I have to use Wake on LAN to start up when I am not at home. Having Sockso on the Rasp Pi allows me to get at it instantly and saves energy by not having to run a full fledged server just to play music remotely.

Below is a tree of the Music directory that I created under my home directory. As can be seen there are symlinks without spaces that point to locations on the usb stick, mounted at /media/sda.

erick@raspberrypi ~/Music $ tree -L 1
.
├── main-collection -> /media/sda/music
└── renee-ipod-music -> /media/sda/Renee's iPod/iTunes_Control/Music/

The USB stick is formatted it’s default way that it came, FAT32. I use pmount /dev/sda1 /media/sda to mount it. In this was it is mounted not as root, it is mounted by my user, so all files are easily accessed by my own user, locally and remotely using NFS or SSHFS. In this way I can add and remove files easily.

 

 Users

In Sockso there is a concept of users. You can have multiple people logged in and have personalized settings. You can even authorize uploads by setting that option.

Adding users at the Sockso command line works similar to adding users in Linux.

useradd NAME PASS EMAIL ISADMIN 1/0     Adds a new user

Commands:
userlist                                Lists the users
useradd NAME PASS EMAIL ISADMIN 1/0     Adds a new user
userdel ID                              Deletes a user
useradmin ID ISADMIN 1/0                Sets a user to be admin/non-admin
useractive ID ISACTIVE (1/0)            Toggles users between being active or not
coladd PATH                             Adds a folder to the collection
coldel PATH                             Removes a folder from the collection
collist                                 Lists the folders in the collection
colscan DIR (optional)                  Start a collection scan
propset NAME VALUE                      Sets a property
propdel NAME                            Deletes a property
proplist FILTER                         Lists properties
version                                 Show version information
exit                                    Exit Sockso


 

Resources

Where to get Sockso, it’s official site

http://sockso.pu-gh.com/

This site is a bit dated but still helpful.

https://samiux.wordpress.com/2009/07/17/howto-sockso-1-1-8-music-server-on-ubuntu-9-04-server/

Sockso Read Me

Requirements
————

Sockso should come packaged with everything it needs to run,
all you have to do is have Java installed on your computer.
You can download the latest Java version for free from
the Sun website at: http://www.java.com

To run Sockso under Windows just double click “Run Sockso”.
Easy!

“Linux”
——-

If you’re running Linux or something similiar then you may
just be able to double click the “linux.sh” shell script.
If this doesn’t work for you then you can run this script
from a terminal with:

$> sh linux.sh

Feedback
——–

If you’ve used Sockso then I’d love to hear what you think, so
please send me some email at: rod(at symbol)pu-gh(dot)com

Running as daemon
—————–
Usage: sockso (start|stop|restart)

 

 

 

 

 

sSMTP Installing and Configuration and Use Tips

Recently I was looking at creating a method of sending a warning email when ever my house temperature went below a threshold. I remembered that sSMTP was a simple way to send automated emails and CRON emails. I have some simple notes on what I did.

Installation

Very easy, just use apt-get from the command line…

sudo apt-get install ssmtp

Configuring

The configuration file (/etc/ssmtp/ssmtp.conf) can be edited using any test editor you typically use.

 

Config at /etc/ssmtp/ssmtp.conf

Below is my config file with the critical info blocked out. Lines in Red are what I modded to get ssmtp working for me.

The key pieces to get it working for me at least were…

hostname = My ISP’s domain

root = my complete email that I use at the ISP

mailhub = I looked it up in Thunderbird, it is the smtp.myispsdomain.net part.

AuthUser=my complete email that I use at the ISP. It might be different for you. Years ago it used to be just the user name part of email without the domain.

AuthPass = The password that goes along with my email.

I commented out the defaults for the ones that existed in the code.

The config file is a bit ugly after I touched it but I was trying to get this up and running quick and didn’t clean it up. But, hey it works!

 

#
 # Config file for sSMTP sendmail
 #
 # The person who gets all mail for userids < 1000
 # Make this empty to disable rewriting.
 #root=postmaster  <--- comment out
 
# The place where the mail goes. The actual machine name is required no
 # MX records are consulted. Commonly mailhosts are named mail.domain.com
  #mailhub=mail <-- comment out
 
# Where will the mail seem to come from?
 #rewriteDomain=
# The full hostname
 #hostname=raspberrypi <--- I was testing and kill this, failed to work
 # hostname has to be the mail domain! Or else it complains about
  # the raspberrypi part! The STMP server at frontier does that is.
  hostname=myispdomain.net
# Are users allowed to set their own From: address?
 # YES - Allow the user to specify their own From: address
 # NO - Use the system generated From: address
 #FromLineOverride=YES <-- Commented out and set below, I was testing!
# New Code put here 11302015
  root=me@myispdomain.net
  mailhub=smtp.myispdomain.net
AuthUser=me@myispdomain.net
AuthPass=myemailpassword
FromLineOverride=YES
#UseSTARTTLS=YES <-- Tried this, I didn't need it for my ISP.

CRON Email

Once installed if you or root on the machine have any CRON jobs, you will start to get email from them. You can stop this by appending …

> /dev/null 2>&1

to the end of the commands that are being run by CRON. Which will cut back on the emails that you will receive.

 Testing

I installed mail utils to allow sending simple messages…

sudo apt-get install mailutils

Then I sent a message via the command line…

echo "Test" | mail -s "Test Subject" me@myispsdomain.net

…and I was able to see it work OK.

Send files via email

If you want to send files you have to install mpack.

sudo apt-get install mpack

 

Then you can send files to your email like this…

mpack -s "Test" /tmp/web/log.txt me@myispsdomain.net

 Command Line Usage

If you execute ssmtp with an email address it will let you create an email from the command line. Which is good for quick emails to for example remind yourself of something, or send a snippet of code to yourself. You edit the email in the form of the example below and hit Ctrl-D when done and then it will send out.
ssmtp recipient_email@example.com
The following is an example right off the command line. Note the one line of space after the Subject, this is a must have…
erick@raspberrypi ~ $ ssmtp me@myispdomain.net
To:me@myispdomain.net
From:me@myispdomain.net
Subject:This is a test of ssmtp from the command line!

Hello there this is a test of the ssmtp from the command line tool. It could be used to send a reminder or small snips of code. Use Ctrl-D when you are done.

It is called up by using ssmtp emailtosendto@domain.com

Bye,
Me

Example of Sending CPU Temp Warning Emails

When I am away from home I can infer if my house is running to cold, which may indicate a problem with the furnace. The Raspberry Pi is light loaded, usually just idling, so the CPU temperature tracks the room temperature, with an offset. When I am away, I set the house thermostat at 47 degrees F. If it drops below this value the CPU temperature of the Raspberry Pi will drop below 34 degrees Celsius. So I can just have it send me an email if this happens. Then I can double check a log that is created of the temperature reading to see what is going on. Also I run a webcam pointed at an actual thermometer for a sanity check, this is logged by using fswebcam to take an hourly snapshot. So I have my bases covered for the most part. Obviously if the power is out, I am in the dark about the temperature, because the whole thing is down! Solving that is a future project.

Below is the snippet of code from a shell script that sits in /etc/cron.hourly that handles the warning emails that are sent to 2 addresses. variables mailaddr and mailaddr2.

temp is the CPU temperature in Celsius as an integer stripped using cut from the thermal_zone0 reading.

minimum and maximum are my temperature thresholds. I don’t care much about maximum but I have it set at 65 Deg. C. just in case.

# Read the temp and cut it to grab leftmost 2 characters, integer Temp
temp="`cat /sys/class/thermal/thermal_zone0/temp | cut -c1-2`"
#echo $temp

# Mail if about or below the limits
if (( $temp > $maximum )); then
   #echo "above"
   echo "Rasp Pi CPU Temp = $temp. " | mail -s "Rasp Pi HIGH CPU Temp > $maximum" $mailaddr
   echo "Rasp Pi CPU Temp = $temp. " | mail -s "Rasp Pi HIGH CPU Temp > $maximum" $mailaddr2

elif (( $temp < $minimum )); then
   #echo "below"
   echo "Rasp Pi CPU Temp = $temp. " | mail -s "Rasp Pi LOW CPU Temp < $minimum" $mailaddr
   echo "Rasp Pi CPU Temp = $temp. " | mail -s "Rasp Pi LOW CPU Temp < $minimum" $mailaddr2

fi

Boot Email

I want to know if an when the Raspberry Pi I run 24/7 ever reboots due to a power outage, so I have it send me an email. The line of code below handles it and is in the root crontab. I have it sleep for 180 seconds first, then send the email. This allows the cascaded routers which I have the Pi connected to and the cable modem, time to come on line.

@reboot sleep 180 && echo "Rasp Pi Rebooted" | mail -s "Rasp Pi Reboot!" me@myispsdomain.net

I also log boots in a file that I can view online, just to keep track in one record.

@reboot date >> /var/www/bootlog.txt

Keeping track of boots helps for instance if I am away from home and the power goes out. If I get the email that the Pi rebooted, I can check to see how long the power was down and what the temperature of the house is to see if all is well.

Every hour I take a time/date stamped webcam snapshot of a thermometer so I can just look to see how many are missing and have a rough estimate of how long the power was out and how cold the house got and verify that it is getting warmer because the furnace is on!

In the future I will connect a BME280 sensor to the Raspberry Pi that will be able to read ambient room temperature directly, along with humidity and barometric pressure. So I won’t have to infer the house temperature via the CPU temperature.

Resources

This is the page I used to configure ssmtp on the Rasp Pi.

http://www.raspberry-projects.com/pi/software_utilities/email/ssmtp-to-send-emails

FTP on Raspberry Pi. An easy way to make shared folders

The idea with FTP is to have folders that can be reachable between Linux and Windows, locally and remotely and easily. FTP is not secure, but it can be made secure, that info can be found on the web. For now I am covering the basics of FTP here.

For most things that I need to do, I don’t need the files to be secure anyways, 90% of the time nothing critical is going back and forth across remotely. If it is I would use a secure method of sending files via SSH via SFTP or an SSHFS.

FTP is an old protocol but it just plain works and is compatible with Windows, Linux and Mac. I have tried WebDAV in the past but it is compatible to only a degree with various Windows operating systems. I have had a hard time getting it working correctly on versions of Windows beyond XP, resorting in installing patches to Windows and etc. Generally not easy to implement.

I was also looking at FTP as a native tool typical of server installs. I have experimented with cloud setups such as OwnCloud and Sparkleshare, but with FTP I was looking for something simple and quick to setup, no special software, no mySQL databases running on the Raspberry Pi, no special software on client PCs, that sort of thing.

vsFTP

sudo apt-get install vsftpd

Edit the configuration file

Back it up first then do an edit.

sudo cp /etc/vsftpd.conf /etc/vsftpd.orig
sudo nano /etc/vsftpd.conf

uncomment local_enable = YES

uncomment write_enable = YES

Find this and check that it is set this way…

local_umask=022

Enabling PASV

I have read online that enabling the PASV capability for FTP is a good idea. Frequently when I have FTP’d to various ISP’s sites I have seen them operate in PASV mode. So it stands to reason that if the pro’s are have it set up that way it may have it’s advantages.

Add the following lines to the /etc/vsftp.conf file.

pasv_enable= Yes
pasv_min_port=40000
pasv_max_port=40100

There is nothing magic about the numbers of the port range other than they should be unused by anything else that your setup might require and generally I have seen high numbers used commonly. To work out side of your local network you must enable port forwarding of the range of port numbers through your router configuration.

Changes to vsFTP

With the newer versions of vsFTP there is a change that has occurred since I wrote my previous post about vsFTP (  http://oils-of-life.com/blog/linux/server/additional-utilities-for-a-linux-server/ )

The change has to do with the fact that the root directory of the user has to be non-writable and I have read online that it is best to make it owned by root as well. This is covered below, after the section on adding a user. You need to have a user first before modifying their permissions!

FTP User

To create an FTP user, create it in a way that it does not have a login shell. So that someone who can log in to the FTP account can’t execute shell commands. The line /sbin/nologin may not be in the /etc/shell file and in that case it needs to be added in there. The user basically has to be jailed in their directory and has to have no login shell.

sudo useradd -m -s /sbin/nologin -d /home/user user

I added Documents, public_html directories to the /home/user as well. Then made the users root folder /home/user, owned by root and nonwritable.

cd /home/user
chown user:user Documents
chown user:user public_html

chown root:root /home/user
Make Root of user non writable
sudo chmod a-w /home/user



FTPing on the PC

Now that ftp is set up on the server you will want to be able to connect to it!

Options for connecting…

Command Line, WIndows and Linux

ftp yoursite.com

That gets you into FTP via the command line. The command prompt will now start with ftp> ,that is how you know that you are within the ftp command shell.

It is archaic, but worth knowing when you have to stick a file up or pull it down right at the command line. The commands the ftp prompt accepts are basic, but good enough to get most work done. Type help at the prompt to get a list of commands.

Via Folders

Linux

Just enter the location of the ftp server right into the top of the directory folder and you will be prompted for a password and taken there.

Windows
Windows7/Vista:
  1. Open Computer by clicking the “Start” button, and then clicking Computer.
  2. Right-click anywhere in the folder, and then click Add a Network Location.
  3. In the wizard, select Choose a custom network location, and then click Next.
  4. To use a name and password, clear the Log on anonymously check box.

From: https://www.google.com/search?q=connect+to+ftp+windows+7&ie=utf-8&oe=utf-8

 

 

Automatic Server Status Page Creation Update

In January 2015 I created a post about automatically creating a status page for a Linux server that I have. Typically this is put under a restricted directory and allows you to see a snapshot of what is happening with the server. I run it by putting the scripts in the /etc/cron.hourly directory on a Linux PC and a Raspberry Pi running Linux.

It serves as a simple way to check up on the server without having to use a tool such as Webmin that requires a login. It also keeps a trail of log files that get rotated on a monthly basis, so there is always a few old ones around to track down any problems and patterns in the operation.

I have found this information useful when I have traced down malfunctions that can occur when setting up a server and also when I was trying to get a webcam up and running and had the USB bus hang up a few times when the cam was overloaded with too much light.

In the new script file I fixed a bug by adding parenthesis around a line that I was trying to echo and I added code to run the w command to show a quick picture on who is logged in, how long the server has been up and running and the values for the average load on the server at the 1, 5 and 15 minute marks.

Logcreate Script

#!/bin/dash
# Remove old log
rm /var/www/status/log.txt
# Print logged outputs into new log.txt
date >> /var/www/status/log.txt
echo >> /var/www/status/log.txt
tail /var/log/syslog >> /var/www/status/log.txt
echo >> /var/www/status/log.txt
free >> /var/www/status/log.txt
echo >> /var/www/status/log.txt
df -h >> /var/www/status/log.txt
echo >> /var/www/status/log.txt
# Top memory using processes http://www.commandlinefu.com/commands/view/3/display-the-top-ten-running-processes-sorted-by-memory-usage
#ps aux | sort -nk +4 | tail >> log.txt
echo "USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND" >> /var/www/status/log.txt
ps aux | sort -nrk 4 | head >> /var/www/status/log.txt
echo >> /var/www/status/log.txt
# Logged in User info using w command
w >> /var/www/status/log.txt
echo >> /var/www/status/log.txt
echo >> /var/www/status/log.txt
# Copy log.txt into the full log that is collected
cat /var/www/status/log.txt >> /var/www/status/fulllog.txt
# Create a free standind copy of the process tree
pstree > /var/www/status/pstree.txt

Alternate Version

I also created a version of the script for a desktop Linux PC that does not have Apache installed.  In it I use a DIR variable to contain the directory that I want the log.txt file stored.

 #!/bin/dash

# User defined variables
# No trailing / on DIR!
DIR=/home/erick/status

# Remove old log
rm $DIR/log.txt
# Print logged outputs into new log.txt
date >> $DIR/log.txt
echo >> $DIR/log.txt
tail /var/log/syslog >> $DIR/log.txt
echo >> $DIR/log.txt
free >> $DIR/log.txt
echo >> $DIR/log.txt
df -h >> $DIR/log.txt
echo >> $DIR/log.txt
# Top memory using processes http://www.commandlinefu.com/commands/view/3/display-the-top-ten-running-processes-sorted-by-memory-usage
#ps aux | sort -nk +4 | tail >> log.txt
echo "USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND" >> $DIR/log.txt
ps aux | sort -nrk 4 | head >> $DIR/log.txt
echo >> $DIR/log.txt
# Logged in User info using w command
w >> $DIR/log.txt
echo >> $DIR/log.txt
echo >> $DIR/log.txt
# Copy log.txt into the full log that is collected
cat $DIR/log.txt >> $DIR/fulllog.txt
# Create a free standing copy of the process tree
pstree > $DIR/pstree.txt

Rotation of Log

In the /etc/cron.monthly directory I have created a file that is called status-log-rotate and it will save backup copies of 2 months worth of the full concatenated server status logs.

#! /bin/bash
DIR=/home/erick/status
mv $DIR/fulllog.txt.1 $DIR/fulllog.txt.2
mv $DIR/fulllog.txt $DIR/fulllog.txt.1

Tweaks for Raspberry Pi

For the Raspberry Pi which has an SD card that I am trying to be conscious of writing to often. I have recently made some modifications to put the /tmp folder onto RAM using tmpfs. I create the hourly log underneath a folder there. Daily via a script it cron.hourly it gets concatenated into a daily log which is under a status folder that has restricted access. This gets appended once per day to the fulllog which actually lives on the SD card. The end result, no multiple hourly writes to the log file, just one append to the full log per day. The only downside is if the power drops and then some log entries will be lost for the day.

Logcreate runs from /etc/cron.hourly for Raspberry Pi

#!/bin/dash
# Set DIR, on Pi this is a temp location for log
DIR=/tmp/web

# Set fixed DIR FIXDIR for files that have to be stored on SD card
# Nevermind, just make a daily log and then copy that to the full log daily.
#FIXDIR=/var/www/status

# Remove old log

rm $DIR/log.txt
# Print logged outputs into new log.txt
date >> $DIR/log.txt
echo >> $DIR/log.txt
tail /var/log/syslog >> $DIR/log.txt
echo >> $DIR/log.txt
free >> $DIR/log.txt
echo >> $DIR/log.txt
df -h >> $DIR/log.txt
echo >> $DIR/log.txt
# Top memory using processes http://www.commandlinefu.com/commands/view/3/display-the-top-ten-running-processes-sorted-by-memory-usage
echo "USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND" >> $DIR/log.txt

ps aux | sort -nrk 4 | head >> $DIR/log.txt
echo >> $DIR/log.txt
# Logged in User info using w command
w >> $DIR/log.txt
echo >> $DIR/log.txt
echo >> $DIR/log.txt
# Copy log.txt into the full log that is collected
cat $DIR/log.txt >> $DIR/dailylog.txt
# Create a free standing copy of the process tree
pstree > $DIR/pstree.txt

dailylog-to-fulllog script, runs from /etc/cron.daily

#! /bin/bash

DIR=/tmp/web
FIXDIR=/var/www/status

echo "----------------------------------------------" >> $DIR/dailylog.txt
date >> $DIR/dailylog.txt
echo "----------------------------------------------" >> $DIR/dailylog.txt
cat $DIR/dailylog.txt >> $FIXDIR/fulllog.txt
rm $DIR/dailylog.txt

Logcreate Output from Raspberry Pi

Below is what the logcreate script will output to the log.txt file on a Raspberry Pi that I have running as a web server.

Sun Jul 12 14:17:01 EDT 2015

Jul 12 13:47:51 raspberrypi dhclient: DHCPACK from 192.168.1.1
Jul 12 13:47:52 raspberrypi dhclient: bound to 192.168.1.17 -- renewal in 40673 seconds.
Jul 12 13:59:01 raspberrypi /USR/SBIN/CRON[28010]: (erick) CMD (aplay /opt/sonic-pi/etc/samples/guit_e_fifths.wav)
Jul 12 13:59:07 raspberrypi /USR/SBIN/CRON[28009]: (CRON) info (No MTA installed, discarding output)
Jul 12 14:00:01 raspberrypi /USR/SBIN/CRON[28013]: (erick) CMD (/home/erick/fswebcam/cron-timelapse.sh >> timelapse.log)
Jul 12 14:00:23 raspberrypi /USR/SBIN/CRON[28012]: (CRON) info (No MTA installed, discarding output)
Jul 12 14:01:01 raspberrypi /USR/SBIN/CRON[28022]: (root) CMD (/home/erick/bin/usbreset /dev/bus/usb/001/004)
Jul 12 14:01:02 raspberrypi /USR/SBIN/CRON[28021]: (CRON) info (No MTA installed, discarding output)
Jul 12 14:09:01 raspberrypi /USR/SBIN/CRON[28053]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -x /usr/lib/php5/sessionclean ] && [ -d /var/lib/php5 ] && /usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime))
Jul 12 14:17:01 raspberrypi /USR/SBIN/CRON[28064]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)

             total       used       free     shared    buffers     cached
Mem:        445804     424488      21316          0     106768     260516
-/+ buffers/cache:      57204     388600
Swap:       102396          0     102396

Filesystem      Size  Used Avail Use% Mounted on
rootfs          6.3G  3.1G  3.0G  51% /
/dev/root       6.3G  3.1G  3.0G  51% /
devtmpfs        214M     0  214M   0% /dev
tmpfs            44M  240K   44M   1% /run
tmpfs           5.0M  8.0K  5.0M   1% /run/lock
tmpfs            88M     0   88M   0% /run/shm
/dev/mmcblk0p5   60M   19M   41M  32% /boot

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      2071  0.0  3.0  24896 13652 ?        Ss   Jun28   2:24 /usr/sbin/apache2 -k start
www-data 27745  0.0  1.5  25412  7084 ?        S    09:58   0:00 /usr/sbin/apache2 -k start
www-data 27744  0.0  1.5  24960  6760 ?        S    09:58   0:00 /usr/sbin/apache2 -k start
www-data 27743  0.0  1.5  25428  7116 ?        S    09:58   0:00 /usr/sbin/apache2 -k start
www-data 27742  0.0  1.5  25396  7036 ?        S    09:58   0:00 /usr/sbin/apache2 -k start
www-data 27538  0.0  1.5  25396  7032 ?        S    06:25   0:00 /usr/sbin/apache2 -k start
www-data 27502  0.0  1.5  25404  7036 ?        S    06:25   0:00 /usr/sbin/apache2 -k start
www-data 27501  0.0  1.5  25396  7044 ?        S    06:25   0:00 /usr/sbin/apache2 -k start
www-data 27747  0.0  1.3  24936  6188 ?        S    09:58   0:00 /usr/sbin/apache2 -k start
www-data 27746  0.0  1.3  24936  6188 ?        S    09:58   0:00 /usr/sbin/apache2 -k start

 14:17:02 up 14 days, 12:56,  1 user,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
erick    pts/0    192.168.1.5      14:04   10:39   1.70s  1.70s -bash

Simple WebDAV

WebDAV, the DAV stands for Distributed Authoring and Version. In its simplest form would be a folder that can be accessed from the web that has a username and password to keep the content locked. There are two versions basically, plain and SSL which is secure in that the data that flows in and out of the folder is encrypted as it moves through the web. In this post I am covering the simple non-SSL form for starters.

This post assumes that Apache is installed, if you need to install it do…

sudo apt-get install apache2

Then load the Apache modules for DAV…

sudo a2enmod dav
sudo a2enmod dav_fs

Create a folder for WebDAV

I created a directory at…

/srv/homes/webdav

…the command…

mkdir -p /srv/homes/webdav

…will allow the folders above webdav, such as homes be created if they do not exist.

Edit the Apache default file

The WebDAV folder access is simply controlled by the sites-available/default file. To edit it run…

sudo nano /etc/apache2/sites-available/default

Towards the bottom of the file right above the section that has the ScriptAlias for the /cgi-bin/ directory, I placed the following code…

Alias /webdav  /srv/homes/webdav
<Location /webdav>
 Options Indexes
 DAV On
 AuthType Basic
 AuthName "webdav"
 AuthUserFile /etc/apache2/webdav.password
 Require valid-user
 </Location>

Adding the Password

Use the htpasswd command to add a password to a webdav.password file. it will prompt you for a password. The file will contain hashed passwords which are not readable.

sudo htpasswd -c /etc/apache2/webdav.password username

For an extra level of protection you can change ownership of the file to root with the group of www-data, so no regular users can access the file. Setting the permission to read-write for owner root and read only for the www-data group…

sudo chown root:www-data /etc/apache2/webdav.password
sudo chmod 640 /etc/apache2/webdav.password

Access the Folder

With everything setup the folder will now appear at http://your-url-here.com/webdav, you can browse to it to test it out. You will be prompted for the user-name and password created earlier in the adding the password step.

Further Potential for WebDAV

  • Setup multiple WebDAV folders.
  • Put a web folder on expanded storage on a Raspberry Pi, such as use a bind mount to point to a USB stick plugged into the Pi for extra storage space.
  • It is possible to set up WebDAV with SSL to secure it in a way that the data flowing in and out of the folder will be secured from prying eyes. With my non-SSL WebDAV folder, I don’t put anything up there that is critical or really private data.
  • It is possible to use DAV for support of calendars across devices, something I will explore in the future.
  • There is an app for the iPhone that I have tried that allows easy uploading and downloading to the WebDAV folder. It is easy to drop attachments from email and etc. to the folder for access on a PC.

Resources

https://www.digitalocean.com/community/tutorials/how-to-configure-webdav-access-with-apache-on-ubuntu-12-04 

WebDAV Resources

 

Raspberry Pi

Network File System (NFS)

For a while I have been using Samba to remotely connect Windows computers to my Linux computers and one Linux file server. I can even connect my Linux laptop to my Linux server via Samba. But, recently I bought a Raspberry Pi and I got interested in using NFS for three reasons.

  1. The Raspberry Pi will be running 24/7 and I would like the option to automount the home folder and others from it on my Linux computers when I start them up.
  2. I would like to mount some folders on a server (“big” file storage Linux server) that I can start remotely to the Raspberry Pi so that it will act like expanded storage on the Raspberry Pi. Then I can start the “big” server remotely and mount the folders on the Pi and use the Pi as a proxy. So it is connected to the web and I can navigate to folders that are on the big server via a connection to the Pi with NFS mounted directories.
  3. It would make it easy to backup Linux machines, including the Pi to the big server periodically. Years ago I thought about NFS for mounting folders for backup but I was pretty happy using a scripted FTP system for backups, so I shelved implementing NFS mounts back then.

Implementing NFS was a lot easier than I thought it would be. It was actually much easier than getting Samba to work the way I wanted it to.

The first step ( in my opinion) is to have the machines that you will mount directories from and to on static IP address. On a home network it really does make it easier to have all the machines other than guest machines on static IP’s. This can be done either by setting the machine to have a static IP. Or it may be possible depending on the router, for the router to be configured to hand out the same IP address to a machine with a specific MAC ID. Effectively the results are the same.

Static IP’s are useful as the actual IP addresses will be listed in the export file. It may be possible to use names, however this depends on how DNS is handled on your network. Using the actual IP addresses will make initial setup nearly foolproof. Also an easy way to use names on any machine is to add the static IP’s and names of the machines on the network to the /etc/hosts file.

Install NFS Support

To install support for NFS on the machines run….

sudo apt-get install nfs-kernel-server

Exports File on Server

Modify the servers /etc/exports file to suit your needs. Below is an example from my system on the Raspberry Pi. Remember to restart the NFS server when you have made changes to the file….

sudo service nfs-kernel-server restart
/etc/exports
# /etc/exports: the access control list for filesystems which may be exported
 #        to NFS clients.  See exports(5).
 #
 # Example for NFSv2 and NFSv3:
 # /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
 #
 # Example for NFSv4:
 # /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
 # /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
 #
 /srv/homes       192.168.1.9(rw,sync,no_subtree_check)
 /home/erick      192.168.1.0/24(rw,all_squash,anonuid=1001,anongid=1004,no_subtree_check)
 /         192.168.1.9(rw,no_root_squash,anonuid=1001,anongid=1004,no_subtree_check)

My initial try at this was to semi follow an example and create a /srv/homes directory and export it to one machine at 192.168.1.9. rw = read write access, sync = change both folders on server and client to keep sync’d, no_subtree_check = keeps the machine from having to check consistency of file names, prevents problems if a file is open and the file is renamed.

Then I decided to export my own home directory to all of the machines on the LAN, using 192.168.1.0/24 which allows access from 192.168.1.1-192.168.1.255. This time I am using all_squash which maps all UID’s and GID’s to nobody and nogroup, then setting anonuid=1001, my UID on the Rasp Pi and anongid=1004 my group on the Rasp Pi, they will map over to the correct UID and GID for myself on the other machines. Therefore I have no problem with read write access as the same user on the other machine to the NFS drive.

The next line exports the entire file system to one machine, but has no_root_squash set, which allows the root to access and create files as root on the server. This is one to be careful with, I use it only when I need to mount the entire file system and usually I have to move things around or something as root anyways, but as always be cautious.

Restart Required

After modifying the /etc/exports file the NFS server needs to be restarted using…

service nfs-kernel-server restart

Client Machine

You have to install the common code for NFS on the client machine.

sudo apt-get install nfs-common

Mount Commands

My Home Directory on the Raspberry Pi

In this case I am mounting my home directory from the Pi under /home/erick-pi. I had to use the nolock option because I was getting an error without it, other than that it works fine.

Example of the mount command from the command line…

sudo mount -o nolock 192.168.1.17:/home/erick /home/erick-pi
Entire Root Directory

Occasionally I want to mount the entire file system of the Raspberry Pi at a location on one PC.

sudo mount -o nolock 192.168.1.17:/ /mnt/nfs/srv/
Mount Scripts

For situations that only apply occasionally, such as the above example of mounting the entire directory structure, I have created some scripts and placed them in the bin folder under my home folder and made them executable by using chmod +x filename. Then I can run them as needed by running a script with a filename that makes sense to me. Like the one for the code below is, rasp-pi-mount-root.sh.

#! /bin/bash
sudo mount -o nolock 192.168.1.17:/ /mnt/nfs/srv/
intr option

Note that the intr option for nfs mounts is a good one if the computer loses it’s connection with the server. With the Raspberry Pi this is never an issue for me but it is with other servers. It allows an interupt to stop NFS requests if the server goes down or the connection is lost. If intr is not used NFS will keep trying and the process will hang, requireing a reboot. I have had this occur mostly with servers that are on only part time. Most likely, I started the server and then put my computer on standby. When I start it and the server is off, NFS will hang looking for the mount points that have disappeared. This will hang not only the X window folders, but it will hang any command in a terminal that has to touch NFS, such as df -h which tries to look for something that is not there anymore.

Hard and Soft Options

The hard and soft options are like what they sound like. Soft mounts give up after a timeout and don’t keep trying to write or read from an NFS mount point if it flakes out or goes down. Soft mounts should only be used for read only mounts as data being written can be corrupted if a soft mount gives up where the hard mount will just keep trying until the mount comes back. If there is an issue with a write mount point flaking or dropping it is best to mount hard, the default and use the intr option.

Mounting on Startup

It is possible to set up the /etc/fstab file to mount the NFS drive on start up.  It is as simple as adding the following line to the file…

192.168.1.17:/home/erick    /home/erick-pi    nolock    0    0

On my laptop this did not work, I remembered that Wireless LAN is handled at the user level and not on during bootup when mountpoints are handed out via the /etc/fstab file. So I got an error about the mount point not being found.

On my desktop running Lubuntu 14.04, connected via Ethernet cable, the line above did not work either but I modified it as follows and it worked. It might be that I left out the part with nfs, although I thought that the OS could tell it was a NFS mount from the format, oh well. I also decided to mount it right under my home folder on the desktop…

192.168.1.17:/home/erick    /home/erick/erick-pi nfs   auto,nolock    0    0

On the desktop once the drive is mounted it will stay mounted even if I reboot the Rasp Pi while the desktop PC is running.

Delayed Mount on Startup

To mount an NFS drive on a machine that has wireless, you have to mount it after it connects to the router and by then it is already running at the user level. You have to trick the system into waiting. There are multiple ways of doing this. I chose putting a line into to root crontab and used sleep 60 for the delay. After all most mounting has to be done as root anyways.

So I put a 60 second delay in before the mount command executes in the root crontab using the @reboot directive…

@reboot bash -c "sleep 60; mount -o nolock 192.168.1.17:/home/erick /home/erick-pi"

To edit the root crontab, simple do…

sudo nano crontab -e

To simply list what is in the root crontab, which is how I cut and pasted the code above, simply do…

sudo crontab -l

Using Names

It is entirely possible to use names instead of IP addresses when you mount NFS drives and even in the /etc/exports file. One caution, if DNS is down or flaky on you LAN, it could present a problem with reliably mounting drives.  Therefore I recommend adding the server names to your /etc/hosts file. On my LAN I take it a step further, the servers are all set as static IP and my router has the ability to always hand out the same IP to a machine at a specific MAC address so I use that for laptops & etc that normally connect to the network. So in effect every normally used device has a static IP. Therefore I can put them all in /etc/hosts and I don’t even have to care about DNS on the LAN for the machines on it 99% of the time.

/etc/hosts comes with the top two entries, just add what you want to it. As you can see commenting them out works too. The erick-MS-6183 server is down, probably for good at this point!

 127.0.0.1    localhost
 127.0.1.1    erick-laptop
 #192.168.1.11    erick-MS-6183
 192.168.1.2    renee-pc
 192.168.1.9      erick-laptop
 192.168.1.10     ubuntuserver
 192.168.1.17     raspberrypi

 Gotcha

One time I was backing up my laptop to a laptop-backup directory under my home folder on the big file server. The problem was that I had my home folder on the big file server set as an NFS mount as a folder under my home folder on the laptop. It copied in circles until the harddrive filled up. Oh well, learned the hard way on that one! Be careful of NFS mounts and even symlinks to places when running backups.

NFS and Users

With users there is the notion of the name and then there is the numerical UID. NFS uses the numerical UID to map across machines. If you plan on using NFS on multiple machines, it pays to keep the UID’s lined up between them. For example, if you set up 2 Linux machines from scratch, there will be a user at UID 1000, that would be you, whatever you called it by name. The first user is at 1000. If you use NFS to mount a directory from one machine to another, no problem it all lines up. The user at UID 1000 is the same on both machines, permissions work out, files can be moved back and forth, no problems.

 Resources

Used this one to get started with NFS…

https://help.ubuntu.com/community/SettingUpNFSHowTo

Helped to figure out the whole user and group ID mapping

NFS: Overview and Gotchas

 exports(5) – Linux man page

Easy to follow, I hink I might have started with this one,

Setting up an NFS Server and Client on Debian Wheezy

I need to look at this one for a sanity check on the errors when I launch NFS server on Raspberrry Pi,

Problem with NFS network

 

SSH Keys

On one of my servers once I got it set up right and working smooth there was rarely a need to log into via SSH remotely. So I left the SSH port 22 closed down in the router. When I really needed to log into it, I would log into the router and hit the DMZ button and open up all the ports to the server briefly. Then I would SSH into it using the normal username and password combo do my business and lock down the ports again.

I learned about SSH Keys a few years back while I was doing some volunteer work on a site. The owner of the server had SSH Keys setup on it so that I could use WinSCP to move files up to it. He believed, rightly so in keeping the security beefed up and didn’t bother with FTP at all. Recently (February 2015) I purchased a Raspberry Pi. Eventually it will replace one of the servers I run. For now, it is a test bed and I would like to be able to log right in, no fiddling with the router! Plus why not make it more secure, that is where SSH Keys come in.

I hunted down the method to set up SSH Keys online. Not hard at all. I followed one article that helped set up the keys and it logged in great. But, I still could also still login via username and password, so I had to apply another step beyond what the article explained.

Finally, once you open up port 22, many attempts to login will occur on the port and you can see this in your router log. Mine is setup to email me the router log and I quickly noticed that I was being emailed logs one after the other. I decided to change the default port 22 to map to an obscure number higher than 1024 by adjusting the port forwarding in the router.

Installing SSH Server

In case you haven’t installed the server part of SSH on your machine here is the command line directive…

sudo apt-get install openssh-server

Setting up SSH Keys (Public Key Authentication)

These are examples of the commands that I used to set up the keys while on the client machine. It is best to try this while you are not too far from you machine physically, just in case something goes wrong and you need to get on the machine physically.

Create the RSA Public/Private Key on the client machine

You will be asked where you want the key stored the default is the .ssh directory under your home folder with a filename of id_rsa. Then you will be asked to provide a passphrase, hit enter if you do not want a passphrase. A passphrase provides an extra level of security. If someone gets a hold of your machine or private key, they still need the passphrase to get anything going.

ssh-keygen -t rsa

You will get the following message. Depending on the machine, it may take a few seconds after the first line, while the machine is doing the calculation before you see the second line. The Raspberry Pi took about 3-4 seconds to spit out the second line.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/pi/.ssh/id_rsa):

The file is alright by default, hit enter, unless you have another place that you need it and know what you are doing. I assume some config file in the system expects the key in the .ssh folder.

Next comes the passphrase question…

Enter passphrase (empty for no passphrase):

…and again….

Enter same passphrase again:

Finally the key is generated and a randomart image is generated, interesting looking but nothing we need for this operation…

Your identification has been saved in /home/pi/.ssh/id_rsa.
Your public key has been saved in /home/pi/.ssh/id_rsa.pub.
The key fingerprint is:
d7:33:ed:91:ab:00:a7:bd:15:8d:15:21:fe:ed:6b:df pi@raspberrypi
The key's randomart image is:
+--[ RSA 2048]----+
|            . o. |
|           . . . |
|            . .  |
|           . * o |
|        S o * * .|
|         *   = + |
|        . o . o .|
|           + . .o|
|          . . ..E|
+-----------------+

Copy the Public Key to the Server

Next you will copy the key up to the server using the ssh-copy-id command. It will log you in and you will use your normal password that you have for your login and then it will copy the key to the server. The example shows that the user is pi and the ip=192.168.1.17. Change these to your id and server IP.

ssh-copy-id pi@192.168.1.17

In this example I am installing it on the same machine that I created it. So this is what I see…

pi@raspberrypi ~ $ ssh-copy-id pi@192.168.1.17
The authenticity of host '192.168.1.17 (192.168.1.17)' can't be established.
ECDSA key fingerprint is 7e:f0:94:8a:bd:f2:95:44:f3:a5:36:ff:e3:64:48:a3.
Are you sure you want to continue connecting (yes/no)?
Warning: Permanently added '192.168.1.17' (ECDSA) to the list of known hosts.

…And the key is added.

Test It

Now you can login to your server with the newly created keys. But you still can also login via the username and password combo.

Making it SSH Key Only login

You need to set the sshd_config to explicity allow Public Key Authentication. This step requires editing the sshd_config file. Which I didn’t remember the location of so I used…

sudo find / -name sshd_config

Edit it …

sudo nano /etc/ssh/sshd_config

Find the line that reads PasswordAuthentication which is set to yes by default, as in commented out = yes.

Set it to no and make sure it is uncommented…

PasswordAuthentication no

Check to see that this is set also…

ChallengeResponseAuthentication no

Restart the SSH server…

sudo service ssh restart

Remapping the SSH Port 22 to something less obvious

If you don’t remap to port, lots of hits happen to it. Attempts to login that will fill up your router logs. In theory someone can still find the new port, but they would have to get lucky or scan the ports. So this does cut down on bogus login attempts significantly.

There are two ways of doing this, in the configuration file sshd_config or by setting up the port forwarding in yur router. I left sshd_config set at port 22 and made the change in the router. I care about the port being mapped to something else for the outside world on my LAN it can stay 22. So I can simply use SSH servername and not specify a port.

sshd_config mod method

There is a line near the beginning of the file, change the 22 to something else and restart the sshd server…

# What ports, IPs and protocols we listen for
Port 22

Router Port Forward Mapping Change Method

Or go into your router and find the port forwarding. In my Netgear router it was under Advanced–> Port Forwarding/Port triggering. You will see a list that allows there to be changed…

# Service Name External Start Port External End Port Internal Start Port Internal End Port Internal IP address
External End Port Internal Start Port Internal End Port

Set it up for a port other than 22 for External Start and end Port, 5678 in this example…

 

SSH 5678 5678 22 22 192.168.1.170

More Tightening of SSH Security

I have not done any of this yet on my machine but for FYI. Under the spot in sshd_config where the port is set there is a place where you can place a whitelist of IP addresses that the sshd will listen for. This can restrict the IP space that can connect to the machine..

# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0

It is also possible to further restrict the actual users that are allowed or denied access to the machine via SSH. This is accomplished by using the AllowUsers, AllowGroups,DenyUsers,DenyGroups directives.

Example…

AllowUsers joe bob naomi
AllowGroups workinggroup powerusergroup
DenyUsers tempuser1 tempuser2
DenyGroups gaming

You can also block the ability to login as root, so that users will have to su to root once logged in.

PermitRootLogin on

Encryption and Keys

Creating keys such as the RSA pair is an interesting mathematical concept. It falls in the realm of one way functions. You can have the public key and have only remote odds of being able to generate the corresponding private key by a brute force search. But, the other way around is easy. It’s kind of like glass breaking or throwing a cup of water in the ocean, in theory it is all still there, but to put it back together is nearly impossible.

In physics this is what makes “time” on the macro scale. On the quantum level, time really doesn’t matter. You can play particles interactions backwards and forwards and it all works out OK. Feynman diagrams, work both ways. But on the macro level, a lot of things just go one way, just like the hash algorithms that generate the encryption keys. The same thing applies to hashes to generate look up tables, it is easy to go one way, to the lookup from the hash, but harder to go the other way. Ratchets, diodes and worm gears, go one way but not the other.

 Resources

How To Set Up SSH Keys

How do I force SSH to only allow uses with a key to log in?

7 Default OpenSSH Security Options You Should Change in /etc/ssh/sshd_config

Ubuntu Server Guide OpenSSH Server

Alternatives to FTP

One server I have is fairly low on resources, so I opted not to run FTP. It would just mean yet another service that would have to run on a low RAM unit. So to move files to and from this server I use scp or sftp from Linux and WinSCP from Windows.

SCP Example

These examples assumes you can SSH into your server!

Using a FQDN

The following example shows downloading a directories content from a remote server using a fully qualified domain name.

 scp -r username@serverlocation.com:/home/username/dir /home/username/dir

Using a IP address

On the local network in this example using an ip address, copying remote to local.

 scp -r user@192.168.1.101:/home/user/fswebcam /home/user/fswebcam

Example of uploading a single file to a remote server from the home directory of the user to a specific location under the users home directory tree on a remote computer, note the tilde (~) means home directory of user.

scp ~/fswebcam/timelapse/dusk.avi user@12.34.56.78:/home/user/files/public/timelapse-video/dusk.avi

SFTP

To connect using sftp, a ftp tunnel using SSH, typically you can use the “Connect to Server” found for instance in Ubuntu under Places.

  • Set connection type to SSH
  • Set the server
  • IP address or FQDN
  • Port is set to 22, the standard SSH port
  • Folder is set to any folder that the user has permission to get into, /home/user is a safe bet.
  • Username is set
Connect to Server in Ubuntu, Place Menu
Connect to Server in Ubuntu, Place Menu

 

  • You can add a bookmark to keep getting in to this connection
  • It will ask for your login password upon connecting

SFTP via Browser

Also from a Firefox browser, Haven’t tried this on others! you can simply put sftp://user@serveraddress in the address bar. This will connect you to your home folder after you give the password at the prompt. I noticed that in Ubuntu, it will do the same thing that the “Connect to Server” option will do. It will show a folder on the desktop
after connecting with the browser that it the sftp connection

WinSCP

From Windows I have used the tool WinSCP for years as it supports FTP, SFTP and SCP. http://winscp.net/eng/index.php
It also loads support, by editing the registry perhaps for using the sftp:// type of connection via Windows Explorer.

rsync

For Linux there is also the command rsync, remotely synchronize directories. I haven’t used this but once or twice so I don’t have much to say about it yet.

One more comment on SSH. Typically I leave SSH (Port 22) closed and open it up only when needed on this server. I do this by remotely logging into a my router and opening it and closing it. Alternatively you could configure a firewall to only allow certain IP numbers a connection to SSH and denying all others. This can be done using the direct method of editing the iptables ( I will write more on this, TBD) or using a tool such as UFW or the graphical version of it called GUFW to  handle this.