Wednesday, October 29, 2008

HowTo: Using Fstab entries to mount Samba shares on Linux

Samba is an Open Source/Free Software suite that provides file and print services to all manner of SMB/CIFS clients. Samba is freely available, and allows for interoperability between Linux/Unix servers and Windows-based clients.

Samba shares can be accessed in several ways, such as issuing the mount command, using /etc/fstab entries, accessing it through file browsers such as Konqueror, Midnight Commander and Nautilus.

The current post addresses /etc/fstab entries on Linux systems.

To automatically mount a Samba share at boot time we need to edit the /etc/fstab file and add the necessary entry:
  • $ su
  • # vim /etc/fstab
//192.168.0.1/share /mnt/samba smbfs username=username,password=yourpassword 0 0
Due to security issues it’s not a good idea to put username/password in the /etc/fstab file. So you can change the username=username,password=password section and replace it with credentials=/root/.fstabcredentials:
  • # vim /etc/fstab
//192.168.0.1/share /mnt/samba smbfs credentials=/root/.fstabcredentials 0 0
Next we create the /root/.fstabcredentials file and add the needed information:
  • # vim /root/.fstabcredentials
username=username
password=password
Substitute the username and password arguments according to your system.

To further close access to the file we change it's permissions:
  • # chmod 600 /root/.fstabcredentials
And that's it!

Resources:
http://us3.samba.org/samba/

HowTo: Network traffic & bandwidth monitoring with darkstat on Gentoo

Following the footsteps on installing darkstat on my old 266 Mhz FreeBSD machine I've mirrored the install procedures on my 1.3 Ghz Pentium-M Gentoo Hardened server. This post will cover the installation and configuration of darkstat on a x86 machine running Gentoo Hardened stable.

Darstat captures network traffic, calculates statistics about usage, and serves reports over HTTP.

Darstat provides the following features:
  • Traffic graphs, reports per host, shows ports for each host.
  • Embedded web-server with deflate compression.
  • Asynchronous reverse DNS resolution using a child process.
  • Small. Portable. Single-threaded. Efficient. Uncomplicated.
Follow the bellow steps to update the portage tree and install darkstat:
  • $ su
  • # eix-sync
  • # emerge --ask --tree --verbose darkstat
To enable darkstat at boot time add it to the default runlevel by:
  • # rc-update add darkstat default
Now let's edit /etc/conf.d/darkstat to identify the network interface (in my case eth0) that we wish to monitor and enable logging:
  • # vim /etc/conf.d/darkstat
INTERFACE="eth0"
DAYLOGFILE="darkstat.log"
The next step is to start darkstat by running the following command:
  • # /etc/init.d/darkstat start
To check darkstat daemon status:
  • # /etc/init.d/darkstat status
By default darkstat serves graphs to http://localhost:667, so fire up your browser and point to the location. If you are planning (like me) on accessing to the graphs for another location add port 667 (you can choose another port number in /etc/conf.d/darkstat) to your router Port Forwarding settings.

Hope you enjoy darkstat. I find it extremely useful and refreshing.

Resources:
man darkstat
http://dmr.ath.cx/net/darkstat/
http://linux-bsd-sharing.blogspot.com/2008/10/howto-network-traffic-bandwidth.html

Tuesday, October 28, 2008

HowTo: Setup a Rsync server on Gentoo

I've been invited to write for TuxTraining and help it become a reference for open source users, so this and future posts will most likely be available at TuxTraining.

If you are looking for tutorials, tips and guides covering not only Linux but also BSD and Solaris visit the site. It's updated on a daily basis so I'm sure you'll find it to be very useful.

The goal of this tutorial is to detail the needed steps to setup a general purpose rsync server on Gentoo. Note: this guide doesn't focus on setting up your own Gentoo local rsync mirror, for that please consult Gentoo's official documentation on the matter, namely Gentoo Linux rsync Mirrors Policy and Guide.

rsync is an open source utility that provides fast incremental file transfer, available in multiple platforms such as Linux, *BSD and Solaris.

Let's begin by becoming the superuser, synchronize the portage tree and install rsync:
  • $ su
  • # eix-sync
  • # emerge --ask --tree --verbose net-misc/rsync
Having installed rsync let's add it to the default runlevel so that it automatically starts at boot time:
  • # rc-update add rsync default
Now we move into the rsync server configuration. The rsync server works with modules with are defined in the /etc/rsyncd.conf file. Let's set up a general purpose module:
  • # vim /etc/rsyncd.conf
motd file = /usr/local/etc/rsync.motd
log file = /var/log/rsyncd.log
pid file = /var/log/rsyncd.pid
lock file = /var/log/rsyncd.lock
transfer logging = true
use chroot = yes
[backup]
path = /home/username
read only = yes
list = yes
comment = Example of a rsync backup module
hosts allow = 192.168.1.0/24
It should be noted that a list of modules is returned from a rsync server when the server is queried:
  • $ rsync example.no-ip.org::
backup Example of a rsync backup module
To start the rsync server immediately:
  • $ su
  • # /etc/init.d/rsyncd start
An example of a client side synchronization:
  • $ rsync -av example.no-ip.org::backup/ /destination/
This would recursively transfer all files from the backup module directory on the example.no-ip.org machine into the /destination directory on the local machine. The files are transfered in "archive mode", which ensures that symbolic links, devices, attributes, permissions, ownership, etc are preserved in the transfer. Also, compression is used to reduce the size of data portions of the transfer.

Take a look at the utility's website for ideas on how to use rsync in useful ways.

Additional sources of information:
rsync website
man rsync
man rsyncd.conf

Tuesday, October 21, 2008

HowTo: IPFW firewall setup on FreeBSD

Today I'll lay down the steps needed to enable and configure FreeBSD' IPFW firewall.

The IPFIREWALL (IPFW) is a FreeBSD sponsored firewall software application authored and maintained by FreeBSD volunteer staff members. It uses the legacy stateless rules and a legacy rule coding technique to achieve what is referred to as Simple Stateful logic.

I'm running FreeBSD 7.0 and use freebsd-update to update the system side of FreeBSD so this guide assumes that your using a stock kernel. However if you're running a custom kernel that a look here (Section 31.6.1) before using the current guide.

Let's start by becoming the superuser and enable IPFW at boot time:
  • % su
  • # vi /etc/rc.conf
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
firewall_logging="YES"
Now we define an IPFW rule set. Bellow you'll find a rule set shamefully stolen from here and adapted to my needs:
  • # vi /usr/local/etc/ipw.rules
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (21), ssh (22), mail (25)
# http (80), dns (53), mldonkey (4080, 21452, 6882),
# darstat (667)
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 220 allow tcp from any to any 4080 in
$IPF 230 allow udp from any to any 4080 out
$IPF 240 allow tcp from any to any 21452 in
$IPF 245 allow udp from any to any 21452 in
$IPF 250 allow tcp from any to any 21452 out
$IPF 255 allow udp from any to any 21452 out
$IPF 260 allow tcp from any to any 6882 in
$IPF 270 allow tcp from any to any 6882 out
$IPF 280 allow tcp from any to any 667 in
$IPF 290 allow tcp from any to any 667 out
$IPF 300 allow tcp from any to any 1024-65000 keep-state

# deny and log everything
$IPF 500 deny log all from any to any
If you aren't planning to use FTP remove the $IPF 300 allow tcp from any to any 1024-65000 keep-state line. This line circumvents IPFW troubles with FTP connections.

To enable logging run the following commands:
  • # vim /etc/syslog.conf
!ipfw
*.* /var/log/ipfw/ipfw.log
  • # mkdir /var/log/ipfw
  • # touch /var/log/ipfw/ipfw.log
  • # killall -HUP syslogd
The firewall_logging variable sets the net.inet.ip.fw.verbose_limit=5 to the value of 1. To increase the verbose level to the value of 5:
  • # echo "net.inet.ip.fw.verbose_limit=5" >> /etc/sysctl.conf
  • # sysctl net.inet.ip.fw.enable=1
  • # sysctl net.inet.ip.fw.verbose=1
  • # sysctl net.inet.ip.fw.verbose_limit=5
To start IPFW and load the rules set:
  • # vim /etc/rc.d/ipfw start
  • # sh /usr/local/etc/ipfw.rules
The following command shows the rules list that is currently loaded:
  • # ipfw list
And we're done. In future I plan to try OpenBSD's PF firewall so stay tuned ;-)

Resources:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
http://tuxtraining.com/2008/10/16/setting-up-firewall-using-ipfw-in-freebsd
http://www.cyberciti.biz/faq/howto-setup-freebsd-ipfw-firewall/

Monday, October 20, 2008

HowTo: Network traffic & bandwidth monitoring with darkstat on FreeBSD

My old Celeron 266 Mhz runs a couple of network related services, namely MLDonkey and FTP.

With the goal of monitoring network and bandwidth traffic I used vnStat. vnStat is small and efficent console based application however I wanted something that could serve the statistic over HTTP and this is where darkstat fills the bill.

Darstat captures network traffic, calculates statistics about usage, and serves reports over HTTP.

Darstat provides the following features:
  • Traffic graphs, reports per host, shows ports for each host.
  • Embedded web-server with deflate compression.
  • Asynchronous reverse DNS resolution using a child process.
  • Small. Portable. Single-threaded. Efficient. Uncomplicated.
Follow the bellow steps to install darkstat on FreeBSD 7.0:
  • % su
  • # cd /usr/ports/net-mgmt/darkstat
  • # make install clean
  • # rehash
To enable darkstat at boot time add the following lines to /etc/rc.conf:
darkstat_enable="YES"
darkstat_interface="rl0"
Change the darkstat_interface to reflect your network interface (mine is rl0).

Bellow you'll find a set of optional configurations flags that can be added to /etc/rc.conf:
darkstat_dir="/var/run/darkstat"
darkstat_pidname="darkstat.pid"
darkstat_dropuser="nobody"
darkstat_flags=""
Now that we have darkstat installed and configured let's start it:
  • # /usr/local/etc/rc.d/darkstat start
To check darkstat daemon status:
  • # /usr/local/etc/rc.d/darkstat status
By default darkstat serves graphs to http://localhost:667, so fire up your browser and point to the location. If you are planning (like me) on accessing to the graphs for another location add port 667 to your router Port Forwarding settings.

Hope you enjoy darkstat. I find it extremely useful and refreshing.

Resources:
http://dmr.ath.cx/net/darkstat/
man darkstat

HowTo: Setup a Pure-FTPd server with virtual users on FreeBSD

Having setup a FTP server using FreeBSD's own FTPd I decided to explore other FTP server options, namely Pure-FTPd.

Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server.

This guide provides instructions for using the virtual user system to manage and control users. By using virtual users, FTP accounts can be administrated without affecting system accounts.

Let'
s initiate Pure-FTPd's installation by entering the following commands:
  • % su
  • # cd /usr/ports/ftp/pure-ftpd
  • # make config
A menu containing Pure-FTPd options will pop-up. In my case, I've opted to leave these options at their defaults.
  • # make install clean
  • # rehash
Having finished the installation process we now move into the configuration stage. We'll start by copying the sample configuration file and set the configuration options:
  • # cd /usr/local/etc
  • # cp pure-ftpd.conf.sample pure-ftpd.conf
  • # chmod 644 pure-ftpd.conf
The chmod command was run to be able to edit the file (default permissions are set to -r--r--r--).
  • # vi pure-ftpd.conf
VerboseLog yes
PureDB /usr/local/etc/pureftpd.pdb
CreateHomeDir yes
The CreateHomeDir option makes adding virtual users more easy by creating a user's home directory upon login (if it doesn't already exist).

We can either import users with system-level accounts (defined in /etc/master.passwd) at once or create new users manually. To import users that already exist on your system into the virtual user database, enter these commands:

  • # pure-pwconvert >> /usr/local/etc/pureftpd.passwd
  • # chmod 600 /usr/local/etc/pureftpd.passwd
  • # pure-pw mkdb
It should be noted that pure-pwconvert only imports accounts that have shell access. Accounts with the shell set to nologin have to be added manually.

To add users to the Pure-FTPd virtual user database manually, we need to create a system-level account that will be associated with virtual users. Create a new user named vftp like this:
  • # pw useradd vftp -s /sbin/nologin -w no -d /usr/home/vftp\
  • ? -c "Virtual FTP user" -m
Having done this we can now add users to the virtual users database using the commands below:
  • # pure-pw useradd user -u vftp -g vftp -d /usr/home/vftp/user
  • # pure-pw mkdb
Replace user with the desired username. With -d flag, the user will be chrooted. If you want to give user access to the whole filesystem, use -D instead of -d.

If you want to add additional users, just repeat the commands above with a different user.

To remove a user:
  • # pure-pw userdel user

Now to start Pure-FTPd:

  • # /usr/local/etc/rc.d/pure-ftpd onestart

Initiate a FTP connection to test the server:

  • % ftp localhost

Trying 127.0.0.1...
Connected to localhost.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 13:39. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (localhost:username):
Now log in with a user account created as explained above. Commands such as ls, cp, pwd and less work just like in tcsh and bash shells. To quit the FTP session type exit.

To configure Pure-FTPd to start at boot time:

  • # echo 'pureftpd_enable="YES"' >> /etc/rc.conf
To restart Pure-FTPd and determine if it is running:
  • # /usr/local/etc/rc.d/pure-ftpd restart
  • # /usr/local/etc/rc.d/pure-ftpd status

Pure-FTPd provides useful features for personal users as well as hosting providers. I've only touched the tip of the iceberg so do take a look at the project's website for the excellent documentation that is available.

That's it for now. On a future post I'll explain how to setup Pure-FTPd for anonymous FTP access.

Resources:
http://www.pureftpd.org/project/pure-ftpd/doc

Friday, October 17, 2008

HowTo: Install and setup MLDonkey on Gentoo

MLDonkey is an open source, free software multi-network peer-to-peer application. Currently the following protocols are supported: eDonkey, Overnet, Bittorrent, Gnutella, Gnutella2, Fasttrack, FileTP and Kademlia.

To cater to my brother's P2P needs I decided to install MLDonkey without X11 support leaving only the core with both telnet and web interfaces. The target computer was my 1.3GHz Pentium-M laptop headless server (faulty display) running Gentoo Hardened located at my parents house.

Bellow are the steps needed to install MLDonkey on Gentoo with Bittorrent, eDonkey and Overnet support:
  1. $ su
  2. # eix-sync
  3. # echo "net-p2p/mldonkey ocamlopt -doc -fasttrack -gd -gnutella -gtk -guionly -magic" >> /etc/portage/package.use
  4. # emerge -tav mldonkey
Now that MLDonkey is installed let's activate it at boot time and start the service:
  1. # rc-update add mldonkey default
  2. # /etc/init.d/mldonkey start

Now we are going to modify the MLDonkey configuration:

  1. # /etc/init.d/mldonkey status
  2. # exit
  3. $ telnet 127.0.0.1 4000
  4. > auth admin ""
  5. > passwd newpassword
  6. > set allowed_ips "127.0.0.1 192.168.1.0/24"
  7. > save
  8. > exit
Basically, we've checked to see if MLDonkey was running and accessed it through its telnet interface. Initially the application is configured without an admin password, so step 5 takes care of that. On step 6 we set the ips that are allowed to connect to the application, in the example the localhost and all clients in the local network.

MLDonkey's web server can be accessed on http://localhost:4080, so fire-up your browser and point to the address. If your planning to access the server from another computer replace localhost bit by the server's ip or hostname.

The following are a few useful commands that can be passed on to MLDonkey:
  1. # /etc/init.d/mldonkey start
  2. # /etc/init.d/mldonkey stop
  3. # /etc/init.d/mldonkey restart
  4. # /etc/init.d/mldonkey status
There are tons of configuration options available both in the telnet and web interfaces so I've opted to mention only the basic stuff. For more information I suggest browsing the project's website at http://mldonkey.sourceforge.net/.

Tuesday, October 14, 2008

Tip: Konqueror with Flash support (YouTube) on Gentoo

Following the footsteps of my previous post on how to install and setup KDE 3.5.x on Gentoo I'll explain bellow how to get Flash support for Konqueror and with it YouTube heaven.
  1. $ su
  2. # emerge --ask --tree nsplugins netscape-flash
  3. open Konqueror and point to Settings -> Configure Konqueror -> Plugins -> Scan for New Plugins.
We started becoming superuser, on step 2 the plugins packages were installed and on the final step we told Konqueror to re-scan all plugin directories.

It's done ;-)

HowTo: Install and setup KDE 3.5.x on Gentoo

KDE is a powerful Open Source graphical desktop environment for Unix and Unix-like workstations. It combines ease of use and unparalel functionality.

Having married I can't "afford" running cool window managers such as dwm and Xmonad, so I began moving into desktop environments such as Gnome and KDE. KDE was there on my first contact with Linux and truth be said I prefer it over Gnome.

Bellow you'll find the steps I took to install and setup KDE 3.5.9 on Gentoo. Why 3.5.9? Because in my opinion KDE 4 is lacking taking into account the mature 3.5.x versions.

Let's begin by becoming the superuser:
  • $ su
Edit your /etc/make.conf file and make sure that the qt3, kde, hal, dbus and arts flags are enabled. If you access Samba shares consider adding the samba flag also.
  • # vim /etc/make.conf
Now we update the portage tree:
  • # eix-sync
List and select a desktop profile:
  • # eselect profile list
    [1] default-linux/x86/2006.1
    [2] default-linux/x86/2006.1/desktop
    [3] default-linux/x86/2007.0
    [4] default-linux/x86/2007.0/desktop
    [5] hardened/x86/2.6
    [6] selinux/2007.0/x86
    [7] selinux/2007.0/x86/hardened
    [8] default/linux/x86/2008.0
    [9] default/linux/x86/2008.0/desktop *
    [10] default/linux/x86/2008.0/developer
    [11] default/linux/x86/2008.0/server
    [12] hardened/linux/x86
  • # eselect profile set 9
Now let's update our system along with all package dependencies, removing unneeded dependencies in the process:
  • # emerge --ask --verbose --tree --update --newuse --deep world && emerge --depclean && revdep-rebuild
The fun stuff begins: the installation of kdebase-startkde. I choose this over kde-meta because I really don't need the full KDE environment. This takes around 2 hours on my desktop, a 2.2Ghz Athon XP-M.
  • # emerge --ask kdebase-startkde
Having installed the base environment I proceeded by installing the individual KDE applications that I like:
  • # emerge --ask --tree konsole kdm kpdf ktorrent ksnapshot amarok k3b kaffeine kmix kate kopete kcalc kolourpaint ark media-gfx/gwenview kget knetattach kchmviewer yakuake
From the previous package list special attention should be given to knetattach as this package allows Konqueror access to Samba shares.

Also, if you are planning on customizing KDE's look consider installing the following packages:
  • # emerge --ask --tree kdmtheme nuvox polymer qtcurve gtk-engines-qt gtk-engines-qtcurve x11-themes/crystal
After emerging the KDM graphical login manager let's activate it by editing the /etc/conf.d/xdm file and add it to the boot scripts:
  • # vim /etc/conf.d/xdm
DISPLAYMANAGER="kdm"
  • # rc-update add xdm default

To have KDE automatically mount CDROMs and USB sticks, we need to add hal and dbus to the default runlevel and add yourself to the plugdev group.

  • # rc-update add dbus default
  • # rc-update add hald default
  • # gpasswd -a plugdev
As I also want to access Samba shares I've also added samba to the default runlevel:
  • # rc-update add samba default
And that's it. Reboot your system and gaze upon the wonderful desktop environment that KDE is.

Resources:
http://www.gentoo.org/proj/en/desktop/kde/kde-config.xml
http://www.kde.org/

Monday, October 13, 2008

Tip: Getting Flash working on Debian

I've been running Debian Testing (Lenny) for a while with Gnome and Iceweasel however only recently I've been using it regularly.

So I reached a point where I wanted to check a TV schedule and the TV station's website needed Flash. Latter on I've also found that YouTube required a Flash

To fix this and get myself Iceweasel working with Flash websites:
$ su
# apt-get install flashplayer-mozilla

Just fire up Firefox and happy YouTube browsing ;-)

Friday, October 10, 2008

HowTo: Setup an Anonymous FTP server on FreeBSD

To test the speed differences between SFTP and FTP I decided to setup an anonymous FTP server on my trusted old 266 Mhz Celeron running FreeBSD 7.0.

The File Transfer Protocol (FTP) provides a simple and classic method for transferring files from one computer to another across the internet.

FreeBSD base install includes FTP server software, namely ftpd.

I'm fully aware of the security implications regarding FTP's transmission of usernames and passwords in clear text hence the choice of an anonymous FTP server in real-only mode.

Let's start by creating a ftp user:
  • % su
  • # adduser
Username: ftp
Full name: Anonymous FTP user
Uid (Leave empty for default):
Login group [ftp]:
Login group is ftp. Invite ftp into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash zsh nologin) [sh]: nologin
Home directory [/home/ftp]: /var/ftp
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]: no
Username : ftp
Password :
Full Name : Anonymous FTP user
Uid : 1004
Class :
Groups : ftp
Home : /var/ftp
Shell : /usr/sbin/nologin
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (ftp) to the user database.
Add another user? (yes/no): no
Goodbye!
Anonymous FTP restricts access to the home directory of the user ftp. So let's create an additional directory:
  • # mkdir -p /var/ftp/pub
  • # chown ftp:ftp /var/ftp/pub
From the point of view of the user /var/ftp is the root directory, and he cannot access any files outside of the ftp directory.

To display a welcome notice before users login edit the /etc/ftpwelcome file:
  • # vi /etc/ftpwelcome
After a successful login the contents of the /etc/ftpmod file are displayed to the user.
  • # vi /etc/ftpmod
Next let's proceed by enabling the ftpd server in /etc/inetd.conf:
  • # echo "ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l -S -A -r" >> /etc/inetd.conf
In which:
-l default flag
-r read-only mode
-o write-only mode
-A anonymous FTP connections only
-S logging of all anonymous FTP activity
The -S flag allows logging to /var/log/ftpd, however the file needs to exist before ftpd can use it:
  • # touch /var/log/ftpd
To start ftpd at boot time:
  • # echo 'inetd_enable="YES"' >> /etc/rc.conf
Having finished the configurations steps we can start ftpd immediately by:
  • # /ect/rc.d/inetd start
You can now log on to your FTP server by typing:
  • # exit
  • % ftp localhost
In which the username can be either ftp or anonymous and the password can be anything. Commands such as ls, cp, pwd and less work just like in tcsh and bash shells. To quit the FTP session type exit.

And we're done ;)

Additional information:
FreeBSD Handbook
man ftpchroot
man ftpd
man chroot
man inetd