I’m preparing myself to move from 10.04 to 12.04. With 12.04 as the next Long Term Release (LTS) coming in the next release I thought it was time to prepare for the inevitable move from old to new.

Setup

LTS from Canonical has support for 3 years for the desktop but it has been increased to 5 years for 12.04 code named Precise Pangolin. My Linux headed server currently does a lot and I like to treat it as a production system which cannot go down for long periods of time. The following services are being used:

• FreePBX – PBX system which manages the phones in the house
• Energy@Home – Logs power usage at home
• uPNP – Allows streaming of media to the T.v / Playstation 3
• Ampache – Music streaming service
• MythTv – DVR for digital and analogue T.V

Most noticeably the most important one is FreePBX. The rest are good to have but will only cause inconvenience if it was not running. To complicate things slightly the system is currently using LVM. I have never migrated an LVM before.

Hardware

The computer was originally built in 2004 with some minor upgrades including CPU, RAM and HDD but it’s starting to show it’s age. The hardware was bought as a budget secondary desktop computer but has since resided to a headless 24×7 server. Now it has so many services and software running that the load average is constantly above 5 on a AMD Athlon 64 4000+ (1×2.4GHz stock) with 2GB RAM. The system has a 500 watt PSU but consumes around 130 W.

I think it’s time it received some TLC and a well deserved upgrade and it would be perfect if I could time it with the next LTS. Some of the features I’ll be looking for are:

• Gigabit Ethernet (hopefully 2 if possible)
• More than 4 SATA ports
• At least dual core CPU
• Water cooled CPU

Check List

List of things to do before upgrading:

1. Backup user files – Music, pictures, etc
2. Backup settings – FreePBX, Gnome(possibly), fstab, apache conf, …
3. Backup website files
4. Backup Database

Test Backup

It’s always important to test the backup to ensure they actually work! Files and databases are easy. They can be restored into a different database and files can be copied to a different computer or different location as long there is enough space.

Summary

I probably won’t migrate on the day of release but I may test the backup plan around that time to make sure everything works. Once that’s done, Setup a VM and try installing and restore some of the backed up data and see if it works.

Ubuntu 12.04 LTS to get extra-long desktop support cycle

Related posts:

1. Downtime
2. Replace /dev/xxx With UUID
3. FreePBX Symlink From Modules Failed

One of the reasons I switched to MySQL instead of using the built in phonebook was because the numbers weren’t matching the ones in the internal phonebook. The built in phonebook only allows numbers so international numbers with + or numbers with hyphens cannot be matched to phonebook entries. Using a user defined database and query will solve these problems.

Setup MySQL

We need a schema and a table to store the phonebook and I’d suggest a new user with at least SELECT privileges. The script below creates a schema called freepbx and a table called phonebook:
--
-- Create schema freepbx
--

CREATE DATABASE IF NOT EXISTS freepbx;
USE freepbx;

--
-- Definition of table `freepbx`.`phonebook`
--

DROP TABLE IF EXISTS `freepbx`.`phonebook`;
CREATE TABLE `freepbx`.`phonebook` (
`name` varchar(50) NOT NULL,
`number` varchar(20) NOT NULL,
`phone` varchar(10) DEFAULT NULL,
PRIMARY KEY (`name`,`number`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
phonebook.zip

The table contains 3 fields:

• name – The name of the number
• number – The matching phone number
• phone – The type of phone number E.g mob

Add Contacts

Run the following query to insert new contacts in the phonebook:
insert freepbx.phonebook (name, number, phone) values ('Danny','123456','mob');
Replace Danny, 123456. mob with your own values. The name and number (the first 2 items in the values) are required and the phone (‘mob in the example) is optional. When omitting the phone field run the following query instead:
insert freepbx.phonebook (name, number) values ('Danny','123456');
The name and number combined must be unique otherwise it won’t create an entry in the database. See below for how it will be displayed on the phone / reports.

The Siemens S68H which comes with the Siemens Gigaset 685IP will display all the caller ID if it fits on the display but the text will “just go off the screen” if it does not, only display the first part of the name. The number is always displayed below the caller ID where possible.

Setup FreePBX

Log into FreePBX and go to Tools Setup (tab) > Inbound Call Control > CallerID Lookup Sources Click the Add CID Lookup Source button to add a new phonebook directory. Select MySQL from the Source type This will change the require informations on the page. Enter the following information:

Source Description: MySQL
Source type: MySQL
Cache results: yes [tick]
Host: [server address]
Database: freepbx
Query: SELECT CONCAT(name, IF(phone IS NOT NULL,CONCAT(' (', phone, ')'), '')) as cid FROM phonebook WHERE number like '[NUMBER]'
Username: [username]
Password: [password]

Source description can be any name and it will be used a reference in other settings. The Host will typically be localhost unless the MySQL database is installed on a different machine.

The query will show Danny (mob) if the phone field is populated. The brackets are automatically inserted. If the phone field is empty (NULL in the database) it will just show the name Danny

Press the Submit Changes button to save the new caller ID look up.

Go to Setup (tab) > Inbound Call Control > Inbound Routes and select an inbound route which will use the new phonebook. Under the CID Lookup Source section select the phonebook called MySQL (or what ever it was named in the Source description) in the Source dropdown.

Press the Submit button to save the change and repeat for all other inbound routes which will use the MySQL phonebook.

Apply the changes for all the settings to take hold.

Summary

Having MySQL as a source makes it a lot more flexible and customizable. Also it can be linked to an existing directory. More technical knowledge is required to manage the contacts but that comes with the flexibility.

Setup MySQL CallerID Lookup Source on FreePBX

Related posts:

1. Enabling Remote Access To MySQL
2. MySQL Tuning
3. Linksys SPA3102 And FreePBX On Ubuntu 10.04

1. Create a new disk which is larger than the original
2. Attach it to the VM
3. Download Gparted Live CD ISO file from http://gparted.sourceforge.net/livecd.php
4. “Insert” the CD into the virtual machine by selecting the Gparted Live ISO file downloaded in the previous step
5. Boot the VM and select to boot from CD
6. Follow the onscreen prompt to boot Gparted Live in X (GUI) mode
7. Gparted should start after it has booted. Note the disks path of the small (source) and larger (destination) drives
8. Enter the following command to copy from one drive to the other:dd if=/dev/sda of=/dev/sdb where /dev/sda is the source and /dev/sdb is the destination. This will take a while to finish
9. Refresh Gparted and the new drive will have partitions and data matching the old drive
10. Move and resize the partitions
11. Double click on the Exit button on the desktop and select Shutdown
12. Go back to the Storage settings for the VM and re-arrange the disk SATA port in the Attributes section.
13. Change the SATA port so that the new drive is on the port the old drive was on. This requires assigning the old drive to a third port, change the new drive to the old port and change the old drive port to the old new drive port
14. Save the changes and boot the VM

If any of the partitions were deleted and re-created the UUID needs to be updated. See Replace /dev/xxx With UUID

Ensure the new disk boots before detaching the old drive.

increase size of virtual disk

Related posts:

1. Formatting A Floppy Disk In Linux
2. VirtualBox With Ubuntu Quick Review
3. Ubuntu LVM2 – Smart Storage

10 things to do after installing Ubuntu 11.10

Related posts:

1. Installing Ubuntu 8.10 From USB Stick
2. VirtualBox With Ubuntu Quick Review
3. Ubuntu 8.04 Upgrade To Ubuntu 8.10 No Sound

If your looking for a previous command hit the key combo [ctrl + r] and the prompt changes to (reverse-i-search) Type in the command and it will a list of matching commands. Press enter to run the previous command that is listed.

Hak5 1007 – Yubico and the future of authentication

Related posts:

1. Setting Default Linux Shell
2. Linux Terminal Not Auto-completing
3. bash: man: command not found

It seems security was not high on the agenda when FreePBX was initially developed and the developers had built some default and backdoors into a system for easy access. Whilst I think this is a terrible idea, it doesn’t seem like the project has ever cleansed it of all of these developer friendly holes (turned security issues). The article on Nerd Vittles gives a full account of the issue and the username:passwords that were used during the development. They are as follows:

admin:admin
admin:password
admin:passworm
maint:admin
maint:maint
maint:password
maint:passworm
wwwadmin:password
wwwadmin:wwwadmin
wwwadmin:admin
asteriskuser:eLaStIx.asteriskuser.2oo7

The above format is username:password and to test them just go to the administration page of FreePBX http://[server]/admin e.g http://www.dannytsang.co.uk/admin

I do not 100% agree with the starting from scratch with a fresh install because some people may have taken extra precautions (such as myself) so fixing the issue won’t be as bad as stated. There’s also a security primer on the same site which will help with securing FreePBX. The problem is the article doesn’t specifically state how to fix it except to change the default passwords? How? Also the post could go through or link how to backup the existing install so that it’s not 100% lose. I’m not complaining but more like constructive criticism because I’m in that boat.

Some of the techniques to secure web servers and Ubuntu (if FreePBX is running on Ubuntu) will apply to FreePBX and I may post more articles to help secure FreePBX.

News: FreePBX/Asterisk Security Flaw

FreePBX Backdoor Passwords Pose Asterisk Security Threat

Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security

Apache 2 Hardening Tips

Related posts:

1. Remove Ubuntu Keyring Password
2. Remote Extension In FreePBX
3. FreePBX – Common Voicemail Box

To resolve this, disable the password for Ubuntu’s keyring. This makes the stored passwords insecure but I only have a few passwords saved with the system keyring.

To disable the password go to Applications > Accessories > Passwords and Encryption keys or Alt+F2 to get the run box and type in seahorse (I do not know why it’s called seahorse).

The Passwords and Encryption Keys window should appear and under the Passwords tab there should be a list of passwords that it are saved already. Right click on the ones to remove the password and select Change Password. Enter the old password in the Old Password field and leave the rest blank. By the same token to reset the password complete all the fields. A warning about storing the passwords without a password should appear but select Use Unsafe Storage.

How To Remove Ubuntu’s Password Keyring

Related posts:

1. Security Holes & Backdoors In FreePBX
2. Enabling Remote Access To MySQL
3. KeePass Mini Review

Our Asus EEE PC 701 SSD failed when I tried to upgrade it from Ubuntu 10.10 to 11.04. I was in the middle of an install when it failed to copy a file and then there after it could not even boot from the HDD. Time for a replacement!

Why Have A Laptop And Netbook?

This all happened at a bad time because I was going on holiday soon and I was planning to take it with me. The EEE PC was a great travel companion because it was small, light and cheap which meant I had access to a computer (and Internet where possible) on holiday whilst not too worried about having hundreds of pounds worth of computer being damaged or stolen.

Netbook Vs. Tablet

When this all occurred, I was thinking of the possibility of replacement the netbook with a tablet. They fulfil more or less the same purpose of the netbook with a few pros and cons. Yes there is no keyboard for quick and comfortable typing and nor does it have the full range of applications a traditional desktop can offer but the boot time / always on and the optimized applications seem to counter those arguments (in my mind).

The biggest factor when I had decided was the price. Currently, a netbook can be had for aorund £230 and upwards. Cheaper for older models but tablets are currently are around £400+ excluding the Samsung Galaxy Tab 1010 but that has a 7″ screen with possible no outlook of getting new Android OS updates. This pretty much meant netbook was the only choice.

Linux Powered Netbook

Being the Geek that I am, I almost always do research before purchasing anything more than in your weekly shop. For this replacement netbook it was no different. What I was surprised about was the lack of netbooks with Linux on them. All the recent ones were powered by Windows 7 Starter edition. WHAT WENT WRONG!? I remember when netbooks just started out and almost all of them had Linux on them due to Microsoft’s License restrictions and more importantly the resource hog (compare to Linux) it was.

Alas the days of Linux powered machines look like they have gone and even Asus, the innovaters in netbooks are only selling Windows 7 on their machines. I was looking for a Ubuntu compatible device and it seemed it was fairly hard to find a 100% compatible netbook. I did encounter a Ubuntu hardware wiki which has a list of netbooks and their compatibilities but it was out of date but a good starting point.

The Chromebook was even less of an appeal and it’s untested. I cannot rely on having an Internet connection and have yet to hear the reviews or stories of it’s use. Availability was also an issue.

Acer Aspire One D255E (Intel N455)

After a long and hard search to find a Linux compatible system, I had decided to get the Acer D255E in red. There are 5 variants of the D25x which are D250 which is the first and oldest of the D25x range. Then came D255 which had the Intel Atom N255 processor. Then came the D255E which has the Intel Atom N450, N455 and N555. The main difference between the N45X and the N555 was the battery it came with. The latter having the larger 8 cell battery rated at 8 hours where was the former 2 have the 3 cell, 4 hours. The other smaller differences included DDR3 instead of DDR2 and slightly faster Front Side Bus (FSB). All in all I decided to go for the cheaper N455 version to save what was £30 at the time and coming in on budget of £200. This was a good result considering the inflation between 2007 and 2011 when I got the EEE PC 701 at the time.

From here on out I will be describing the D255E N455 only.

Initial Setup

I wanted to backup the system prior to doing anything in case I needed to return it. As per the usual Acer (and now pretty much all manufactures) has a recovery partition on their drive. Also the package did not include any restore media so if you break your Windows 7 Starter and your recovery partition, your out of luck because Windows 7 Starter is not available for purchase over the counter. People say you can contact Acer to get one if your willing to pay for the packaging and shipping costs but I think this is an oversight. All computers should come with system restore media. The good thing is you can create your own restore DVDs (note the plural!).

In order to create restore DVDs you must first boot into Windows and go through the registration to get to the Desktop. From there the start menu under Acer is Acer eRecovery Management. Starting this program allows you to create and restore from discs. This does mean you need an external DVD writer plugged in. The program will guide you through creating the 3 recovery DVDs. Once it was done time to get the Ubuntu 11.04 ISO out.

Installing Ubuntu 11.04

I created a bootable Ubuntu 11.04 USB stick to install from rather than using an external drive. The install process was fairly painless although during the HDD partition stage, I had to quit and go back into Windows to make sure I was selecting the correct partition (and not over write the recover and Android partitions).

Everything worked out of the box with the exception of the microphone. It was not picking up any sound but I think this is a Pulse Audio issue. To fix this do the following:
$ sudo apt-get update

$ sudo apt-get install pavucontrol
This will update the repository and install the pulse audio control panel. Once the install is complete, start the pulse audio control panel from the menu or by running the commal pavucontrol
Then select Input and reduce the input volume for either right or left. As soon as you do this the input volume bar will suddenly become active.

Some multitouch features work on the touch pad such as the right click when tapping with 2 fingers but I was unable to get the 2 finger scrolling to work.

Ubuntu 11.04

I like the Unity shell and find it usable for day to day tasks. As with any new software it does need a bit of work. The Ubuntu Software Center is a vast improvement over the old

The AOD 255E has a height of 600 pixels which meant most of the minimal sized windows fix with the exception of the buttons at the bottom of windows (if any). This means it has only lost 178 pixels to make the lowest resolution of 768.

Summary

Overall I’m very happy with the setup. Although there are things that can be improved upon such as ability to update Android or even restore the Android partition. Also there is no way to enable the android dual boot feature without Windows. I hate the loss of space for the recovery partition and as I do not know what will be restored with the restore DVDs, I’ve decided to keep them there for the mean time but the combination of Android and recovery partition take up approximately 50GB!

The EEE PC SD card slot was a lot deeper than the Aspire One which meant the card would be more or less sit flush to the edge of the computer. On this machine it sticks up by around 1cm which means the card cannot be left in there as extra space. This is a design flaw in my opinion.

I’m also more sensitive to the fact that it’s using a traditional HDD instead of a solid state so no more throwing it around whilst it’s on. The size of the netbook is a big step up compared to the old original EEE PC. Also the extra screen size and resolution helps.

Acer Aspire One D255 microphone?

Ubuntu 11.04 GNU/Linux on Acer Aspire One D255E

Ubuntu Hardware Wiki

Related posts:

1. IBM T60 + Ubuntu = Winner
2. VirtualBox With Ubuntu Quick Review
3. Back To Windows Vista

Apache Address already in use: make_sock: could not bind to port 80 or 443 error and solution

Related posts:

1. O2 Blocks Port 25
2. SSH On Multiple Ports
3. Enabling Remote Access To MySQL

The package in Ubuntu does not use the standard dos2unix command and instead are:

• fromdos – same as dos2unix
• todos – same as unix2dos

This tool seems to be missing in version 10.04 and onwards.

dos2unix missing (Ubuntu 10.04)

Related posts:

1. WordPress Thumbnail Generation Greyed Out
2. Installing Ubuntu 8.10 From USB Stick
3. Ubuntu Server 7.10 (Gutsy Gibbon) To 8.04 (Hardy Herring)

Related posts:

1. SSH On Multiple Ports
2. Ubuntu 10.04 Firewall (UFW) Basics
3. Netstat By Port

It’s been a while since I have used a “stable” software which almost made me tear my hair out! As good as the concept of Synergy is the execution could have been better. All credit to the software and it’s contributors/team for making it usable.

Synergy is a software that allows more than one machine share a keyboard and mouse. Just like having multiple monitors the mouse cursor will scroll off the edge of one computer say the desktop and onto the other like a laptop.

Features

The best way to describe Synergy is the pictures from their website:

The software is cross platform so the keyboard and mouse can be shared with Windows, Linux and Mac computer all at the same time. In this post however I will be setting it up with 2 Windows machines.

Synergy also can share clipboards too so copying from computer A can be pasted on computer B.

The software uses the server-client model so the computer with the keyboard and mouse that is to be shared runs as the server and all remaining computers are classed as clients. If a client has a connected keyboard and mouse, it can still operate them independently of the server but the client keyboard and mouse cannot control the server – it’s a one way thing.

I will be using the Synergy setup as the example where The server is in the middle and 2 clients are either side of it.

Windows Server

Download and install the Synergy software. At the time I opted for the stable version which was 1.3.6. There are 32 and 64 bit versions so install the correct one for server. Clients can have different bit version to the software and vice-versa.

Once installed, start the software and a very basic window should appear. Change the selection option from Use another computer’s shared keyboard and mouse (client) to Share this computer’s keyboard and mouse (server).

Click on the Configure… button to open up a new dialogue box. This window sets the computers (monitors really) and their orientation. First, add the server computer to top list using the + button. It is recommended the Screen Name should be the same as the computer name found in (My) Computer > (right click) Properties and the Computer name: is the name of the computer.

Leave Aliases as blank (empty).

Leave Options as all unticked and only tick them if there are issues with the stated keys.

Leave Modifiers as is or change according to preference. This may be useful for different operating systems.

Dead Corners prevents the cursor from jumping from one screen to the next. This may happen when using features such as expose on the Mac where moving the mouse to a designated corner will trigger something. Leave this unticked for now.

The next step is to link the computers together. This tells Synergy how the computers are positioned and which computer to go to when the mouse moves to the edge. It can be confusing at first but it means the screens can be linked in a series or in a circle. Always leaving the % of the screen unless the screens are very different. Working from left to right Select right, Client1, Server in the dropdown boxes. The line should read something along the lines of “of the right (part of the screen) of Client1 goes to Server“ so the right edge on Client one links to the Server. Click the + button below to add the link and ready for a new link.

Add the following to join the server to client1, server to client2 and client 2 to server (see above screenshot).

Click OK to close the dialogue box.

Click on the Advanced… button. This is where you specify which screen belongs to this computer. In this case the screen name should be Server. Either change or note down the Port and ensure it is open on the computer. Click OK to save and close.

Next is to register the program to start automatically by clicking on the AutoStart… button. Read and chose the relevant startup option preferred. I would leave it turned off for now because enabling it stopped it from working. It can be uninstalled but it does required Synergy to be restarted (don’t know why it can’t start the server). Close the dialogue box after.

Don’t bother with Test because it was broken I tried it. Go straight to Start button and the server is up and running if there is the Synergy icon in the tray.

Windows Client

Startup Synergy but this time leave it on User another computer’s shared keyboard and mouse (client) and enter the IP or computer name of the server machine.

Click on the Advanced… button and enter the screen associated with the client. So on Client 1 enter Client1 and Client 2 should be Client2.

Next click Start and it should be connected to the server!

Limitations

It’s mainly nice to have features but it’s still worth noting that:

• Clipboard can only share text. I tried images to files but it did not work.
• Dragging files from one screen/computer to another fails. It prevents the cursor from jumping screens whilst dragging something.
• Synergy doesn’t work when the computer is locked. I don’t have a problem with this limitation on security grounds. This also applies to the first login of each computer.
• High system usage / process freezes prevents the mouse from moving to the other computers. This is reasonable limitation because Synergy does not have enough resources to process the mouse move.
• Network Dependent – If the network is down, then the software will not be able to communicate with each other. This may also apply to unstable networks.

Problems

The UI can be confusing. For example I created a link for a computer, pressed the + button to add another and then OK’d it only to find it does not added it to the list unless you press the + button. Trying to remove a computer screen from the list caused Synergy to crash only to find it restoring to the last successful state. I am now confused as to how to remove them! Also the computer the aliases must match the ones typed on the server or it will error out.

A major issue I had with it was the Test function. Every time I tried it, it would either crash or complain it could not connect depending if it was the server or client. This made me go round and round trying different things only to find pressing start on client and server just worked (more or less).

It still prints out a message stating it’s a unstable software even though I’m using the stable version listed their site (64bit only maybe?).

I have noticed a problem where the clipboard is not being passed back and forth at times. Also the scroll wheel only works intermittently (more often not) which is very frustrating!

On Windows 7 client, the cursor centers to the middle of the screen. In a full screen application such as Windows Media Player, the cursor stays hidden.

It’s an understatement to say there are polish needed. Currently it works for what I need and hopefully it will improve over time.

Summary

The motion is very smooth and seamless. The basic functionality is there but can be improved. It’s a good solution for controller 2 or more computers via one keyboard and mouse. The best part of it is the cross platform even if I do not use it.

Synergy

How to Control Multiple Computers with a Single Keyboard and Mouse

Synergy Troubleshooting

Related posts:

1. Logitech G15 and MX Revolution
2. Numpad not working under Gnome
3. Keyboard

I recently upgraded FreePBX from 2.7.1 to 2.8 and from 2.8 to 2.9 the upgrade went OK except for a minor problem where the symbolic link is broken. Whilst this did not cause any problems in terms of the functionality or the workings of the system, it would be nice to solve the problem which appears in the dashboard.

Error Message

The title of the notification is “Symlink from modules failed” with the following body:
Error Symlink from modules failed retrieve_conf failed to sym link:
/etc/asterisk/sip_notify.conf
This can result in FATAL failures to your PBX. If the target file exists, the symlink will not occur and you should rename the target file to allow the automatic sym link to occur and remove this error, unless this is an intentional customization.

Other people have been getting other sym link errors other than sip_notify.conf but the technique should be the same.

The Fix

Take backup copy of the files mentioned:
$sudo cp /etc/asterisk/sip_notify.conf /etc/asterisk/sip_notify.conf.bak
Ensure the backup file have the same permission and ownership as the original.

Remove the original file:
$sudo rm /etc/asterisk/sip_notify.conf

Run retrieve_conf function again. This is triggered by the orange button at the top of the screen which appears when settings have changed but not applied yet. An easy to do this is to go into any of the settings and hit submit. For example Outbound Routes > [select a route] > Submit Changes button. Click on the Apply Configuration Changes button and there error should disappear. To confirm this has worked (because it does not appear all the time) list the directory to see if a new symlink with the same name as the one that was deleted before:
$sudo ls -l
This time it should have a -> to indicated it’s a symlink and point to another path E.g /etc/asterisk/sip_notify.conf -> /var/www/html/admin/modules/core/etc/sip_notify.conf

Symlink from modules failed on status screen after upgrade

Related posts:

1. Remote Extension In FreePBX
2. FreePBX – Common Voicemail Box
3. Asterisk / FreePBX full Log file

UFW or Uncomplicated FireWall is a basic software solution for protecting against network intrusions. It’s basic in the form that it’s a wrapper around the more powerful and complex iptables and therefore makes some assumptions such as rate limits. There are no smart detection systems and adaptability but it also makes it very simple and easy to use. This is not to say it’s too basic but it will suffice in most situations just like Windows Firewall. As time has progressed, UFW has improved a lot with a lot added features.

Install

Installing UFW on Ubuntu is very simple:
$sudo apt-get install ufw

To get the GUI for UFW:
$sudo apt-get install gufw

The remaining part of this article will be describing how to use UFW from command line.

Port/Service Confirguration

After installing ufw it should be inactive. To find the status of ufw:
$sudo ufw status numbered

Inactive means the firewall is turned off but it will be made active on a reboot. Disabled means it is turned off and it will not start when the system is restarted. If ufw is installed on a remote system and only accessible via terminal I would recommend disabling ufw in the event the system goes down and when it comes back up could block remote terminal connections:
$sudo ufw disable

Another default that is applied to ufw is that the firewall is set to allow all which means all connections are able to connect to the computer system unless a rule exists. It’s often easier to deny all and allow specific protocols or ports. To do this run the following command:
$sudo ufw default deny

To revert the above command:
$sudo ufw default allow

The command format to allow or deny something is $sudo ufw / . For example to allow port 22 (SSH):
$sudo ufw allow 22
This will allow TCP and UDP type traffic through port 22. To specify the protocol just append it to the end:
$sudo ufw allow 22/tcp
Replace allow with deny to block connections:
$sudo ufw deny 22/tcp

To allow/deny a multiple / range of ports do the following:
$sudo ufw allow 21,22,80,1000:1024
The comma separated numbers are the individual ports whilst the colon means the range. The above command would have opened connections for ports 21, 22,80 and 1000-1024.

ufw recognizes some services. To get a list of the services perform the following command:
$sudo less /etc/services

Replace the port number with the service name:
$sudo ufw deny ssh

To delete a rule, add the keyword delete after ufw and before the allow/deny switch:
$sudo ufw delete deny 22/tcp
or by using the status command and deleting by number from the left hand side:
$sudo ufw delete 2
will delete the second rule listed in the ufw status printout.

If ufw is enabled, running the status command will also list the rules that have been entered.

The defaults and rules can be applied to outgoing connections too. Here are some examples:
$sudo ufw default deny outgoing
Stops all outgoing connections by default

$sudo ufw default allow outgoing
Reverts back to allow outgoing connections

$sudo ufw allow out 22
Allows outgoing connections on port 22.

$sudo ufw allow out to 192.168.0.1 port 22
Allows outgoing connections from port 22 to machine 192.168.0.1

Source Configuration

Adding “from ” will permit or refuse connection from a specific IP address:
$sudo ufw deny from 192.168.0.1
The above command will block all connection requests from 192.168.0.1.

To block a range of IP addresses, do the following:
$sudo ufw deny from 192.168.0.1 to 192.168.0.254

Source settings can also be applied to specific ports/services like this:
$sudo ufw allow from 192.168.0.1 to any port 22/tcp

Rule Conflicts

Depending on the order the rules were added will depend on which rules are evaluated first. Using the commands described above here is Scenario 1:

$sudo ufw default deny
$sudo ufw allow 22
$sudo ufw deny from 192.168.0.1 to any port 22

With the allow port 22 added first, the computer with 192.168.0.1 will still be allowed to connect to port 22 because ufw see’s that 22 is allowed and it will not evaluate any rules below it. To fix the problem the commands should be entered in the following order:

$sudo ufw default deny
$sudo ufw deny from 192.168.0.1 to any port 22
$sudo ufw allow 22

The most generic and therefore open rule should be last with more specific rules added first. The ufw status command will list the rules in place in the order they were added / evaluated.

To insert a new rule in a specific position, use the status command with the option numbered:
$sudo ufw status numbered
This will list all the exist rules with a number index on the left hand side.

Create a new rule as per normal but add insert before the rule to specify the order it should be inserted in:
$sudo ufw insert 2 deny from 192.168.0.1 to any port 22
The above rule will be inserted in position 2 and move the old 2 and below rules down 1 place.

Limiting Connections

In place of opening a service / port there is also limiting. The rule for the limit is:

ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. ufw will deny connections if an IP address has attempted to initiate 6 or more connections in the last 30 seconds.

I have not seen any article on how to change the limit rules.

To use the connection limiting function, replace the word allow with limit. For example:
$sudo ufw limit 22

If an allow rule exists for port 22, it should be removed otherwise ensure the limit rule is above the allow rule.

Common Server Ports

Below is a list of common ports to be left open. Whilst not all of them are applicable or the same it’s worth considering:

• 20, 21 – FTP for unsecure file transfers. I’d recommend using SFTP or FTPS which usually reside on a different port. Also try and use the limit firewall rule instead of allow to minimize brute force attacks.
• 22 – SSH is a must and is used by FTPS and other secure services such as SCP. I’d recommend changing the SSH port to something more obscure. Also it’s worth using the limit firewall rule to prevent brute force attacks.
• 25 – SMTP for routing email. It’s not necessary to open if
• 80 – HTTP or webserver port. Leave this open if a webserver is running such as Apache.
• 161,162 – SMNP used to monitor server status.
• 220 – IMAP for client email access
• 443 – HTTPS secure web traffic if supoorted.
• 465 – SMTP over SSL for secure email access.
• 3306 – MySQL database port. I’d recommend not opening this port up and use SSH tunneling for more secure approach. If it’s necessary to open the port then use limit unless it causes connection issues.

Summary

ufw is a nice wrapper to enable and disable ports and the syntax used are fairly logical and human readable. I would like to see more work done on the limit command which limits the connections coming in (and hopefully soon) going out.

http://gliderservices.no-ip.org/blog/?p=9

Linux Server Security – Ubuntu’s ufw Firewall Configuration Tool

Related posts:

1. Setting Up CUPS (Print Server) On Ubuntu 8.04
2. SSH On Multiple Ports
3. Apache 2 Hardening Tips

Disable Directory Listings

First directive to change is to stop people browsing through files when a user types in a web address which leads to a folder.

Edit the file /etc/apache2/sites-available/default
changing default for the site config file.
$ sudo service apache2 restart
Find Indexes from the options under the Directory directive and add a subtract sign to disable the option. For example:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
Becomes
<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

mod-evasive

As a last measure from a DDOS attach, Apache has a module which black lists IP addresses temporarily. The default rules are:

1. Requesting the same page more than a few times per second
2. Making more than 50 concurrent requests on the same child per second
3. Making any requests while temporarily blacklisted (on a blocking list)

$sudo apt-get install libapache2-mod-evasive

mod-security

Helps stop some injection and Server Side Includes (SSI) attacks:
$sudo apt-get install libapache2-mod-security2

Remove Server Signature & Information

Turn off server information such as version of Apache and HTTP header server information.

$vi /etc/apache2/conf.d/security

Find the following and change the values to Prod and Off
ServerTokens Prod
ServerSignature Off

Update Apache

Keep the software as up to date as possible. New version come out all the time with various fixes and security patches. Fortunately, Debian based systems such as Ubuntu makes this really easy:
$sudo apt-get update && sudo apt-get dist-upgrade

Last thing to do is to restart the server for the changes to take hold. Any mis-configuration should be reported when the server tries to start back up. It might be easier to restart after each change to make troubleshooting easier.

Below are some use case specific ways to enhance security. If the below changes breaks a site then revert the changes but for most home uses they can generally be turned off.

Disable SSI

Add a minus sign in front of Includes. E.g:
<Directory /var/www/>
Options -Indexes -Includes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Disable CGI

Add / modify ExecCGI in the directory directive:
<Directory /var/www/>
Options -Indexes -Includes -ExecCGI FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Disable Symbolic Links

Remove / add a hyphen to FollowSymLinks to disable sym links (like shorts in Windows terms):
<Directory /var/www/>
Options -Indexes -Includes -ExecCGI -FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Disable All Options

To remove all options above just remove all the options and add the word None
<Directory /var/www/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>

Almost Secure and Perfect Ubuntu Server

Security Tips

20 ways to Secure your Apache Configuration

How to harden Ubuntu 10.04 LTS + LAMP

Related posts:

1. WordPress Permalink Change Error
2. Ubuntu 10.04 Firewall (UFW) Basics
3. Setting Up CUPS (Print Server) On Ubuntu 8.04

Invalid command ‘Header’, perhaps misspelled or defined by a module not included in the server configuration

$sudo a2enmod headers to enable the headers module

$sudo service apache2 restart to restart the server for the module to take effect.

Related posts:

1. Invalid Command ‘ExpiresActive’
2. WordPress Permalink Change Error
3. WordPress Twitter Tools Shows Blank Page On Connect

Invalid command ‘ExpiresActive’, perhaps misspelled or defined by a module not included in the server configuration
…fail!

To fix it ensure the “expires” module is loaded:
$sudo a2enmod expires

Then restart Apache server
$sudo service apache2 restart

Related posts:

1. Invalid Command ‘Header’
2. WordPress Permalink Change Error
3. Apache 2 Hardening Tips

First thing to do is install the script
$sudo apt-get install chkrootkit

Next run it:
$sudo chkrootkit
or redirect the output to a file
$sudo chkrootkit > rootkit.txt
That’s it!

Related posts:

1. Mounting / Extracting .bin and .cue Files In Ubuntu
2. Check GUI Program Is Running In Linux
3. Bash Sleep vs. Wait

A problem I had encountered was navigating to the voicemail login page was blank. The page loaded successfully with just a white page. The cause is the ARI Framework module is not installed and to rectify it is as simple as downloading and installing the FreePBX ARI Framework module via the Admin page.

Recordings page is blank after update 2.9

Related posts:

1. WordPress 2.3.3 Upgrade
2. Visual Studio Express 2008 (Orca)
3. WordPress Twitter Tools Shows Blank Page On Connect

SSL is used to encrypt data between the client e.g a user viewing a website to the web server which hosts the site. SSL uses certificates which are signed and verify the validity of a website. Like any vendor based system the certificate is as secure as the issuer. This means anyone can generate an SSL certificate but only “certified vendors” are considered safe.

Pre-requisites

This post assumes Apache 2 is installed on Ubuntu 10.04 (other versions may apply) with no issues. The default virtual host will be used as the example.

Install SSL

1. Ensure the SSL mod is installed so Apache can handle SSL requests sudo apt-get install ssl-cert
2. Enable the SSL module sudo a2enmod ssl
3. Before restarting the service, edit /etc/apache2/ports.conf and make sure there is a Listen 443 in the file. Alternatively add it in and if the entry is invalid apache won’t start.
4. Create a directory to store the SSL certificates sudo mkdir /etc/apache2/ssl
5. Restart apache service sudo service apache2 restart

Generate SSL Certificate

Only run steps in this section if the certificate to be used is not going to be issued by a vendor.

1. Create the certificate in the Apache SSL directory sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/www.dannytsang.com.crt

Once complete go to Configure Apache 2

Applying For SSL

The steps may vary but this is what I had to go through to obtain an SSL certificate:

1. Install OpenSSL sudo apt-get install openssl
2. Generate a RSA private key. Enter a password when prompted openssl genrsa -des3 -out www.dannytsang.com.key 2048
3. Create the CSR openssl req -new -key www.dannytsang.com.key -out www.dannytsang.com.csr Example information:
   • Country Name (2 letter code) [AU]:GB
   • State or Province Name (full name) [Some-State]:Hertfordshire
   • Locality Name (eg, city) []:Stevenage
   • Organization Name (eg, company) [GX Networks Ltd]:Danny Tsang
   • Organizational Unit Name (eg, section) []:
   • Common Name (eg, YOUR name) []:www.dannytsang.com
   • Leave the rest blank
4. Ensure the CSR details are correct openssl req -noout -text -in www.dannytsang.com.csr If not go through the steps above again to re-generate the CSR
5. Submit the CSR to the vendor.
6. The vendor will verify details submitted before issuing the SSL certificate. Once that is complete continue to the next stage.

Depending on the level of the SSL certificate applied there is always at least 2 certificates that have to be included in Apache. One is the Vendor who signs the SSL and the SSL certificate itself.

7. Copy the vendor certificate to sudo mkdir /etc/apache2/ssl. For example sudo vi /etc/apache2/ssl/CaCert.pem
8. Copy the site / domain SSL certificate sudo vi /etc/apache2/ssl/www.dannytsang.com.crt

Configure Apache 2

There are various ways to enable HTTPS on a website. The options described below are the ones discussed in this article:

• Site Wide – The whole site uses HTTPS so that all the traffic is encrypted. This is the most secure method. Some limitations with this include any “resources” displayed on the site not from a HTTPS site will show a warning to the user. Website traffic will still be encrypted but not for non HTTPS parts e.g Ads
• Login / Accounts only – From user log in and onwards will be encrypted. Other parts are not.

For Login / Accounts only part, WordPress will be used as the example.

For both options there should be 2 virtual hosts configured in Apache. One for non encrypted and the other for encrypted. If the desired effect is for the user to explicitly type https into the browser then only the secure virtual host is need. Otherwise a redirect will be created so that users entering http://www.dannytsang.com will automatically go to https://www.dannytsang.com. The following will assume the virtual host file have already been created and working. The virtual host file will be called dannytsang.

1. Make a copy of the virtual host which will be used for the SSL part of the site sudo cp /etc/apache2/sites-available/dannytsang /etc/apache2/sites-available/dannytsangssl
2. Edit the secure virtual host file and make the following changes:
   • Change the port to 443, the default port for HTTPS traffic e.g <VirtualHost *:443>
   • ServerName – Ensure this directive is set to the same as the SSL certificate e.g ServerName www.dannytsang.com
   • SSLEngine – Turn SSL on e.g SSLEngine On
   • SSLCACertificateFile – Path to the vendor or “Certificate Authority” signing certificate. This may be optional and not required if it was not mentioned by the issuer e.g SSLCACertificateFile /etc/apache2/ssl/CaCert.pem
   • SSLCertificateChainFile – Intermediate CA. Same as above e.g SSLCertificateChainFile /etc/apache2/ssl/ICaCert.pem
   • SSLCertificateFile – Path to site SSL e.g SSLCertificateFile /etc/apache2/ssl/www.dannytsang.com.crt
   • SSLCertificateKeyFile – The file path to the private key used to sign the CSR e.g SSLCertificateKeyFile /etc/apache2/ssl/www.dannytsang.com.key
   • Save and exit the file

Example of the secure virtual host configuration file so far:

<VirtualHost *:443>
ServerName www.dannytsang.com

SSLEngine On
SSLCertificateChainFile /etc/apache2/ssl/ICaCert.pem
SSLCertificateFile /etc/apache2/ssl/www.dannytsang.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.dannytsang.com.key

DocumentRoot /var/www/dannytsang

</VirtualHost>

Note that my example does not contain SSLCACertificateFile. For a self generated SSL the only SSLCertificateFile is needed.

Site Wide HTTPS

One of the pit falls of site wide encryption is that all content must reside on the https domain or from other https sources. Below is an example of what Google’s Chrome browser would show if content didn’t come from a secured resource. In my case it was Ads:

1. Edit the non secure virtual host file of the site sudo vi /etc/apache2/sites-available/dannytsang
2. Add the following lines below the SSL related directives:
   
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</IfModule>

3. Save and exit the virtual host file.
4. Enable the new secure virtual host sudo a2ensite dannytsangssl
5. Restart Apache sudo service apache2 restart

Login HTTPS For WordPress

1. Edit the non secure virtual host file sudo vi /etc/apache2/sites-available/dannytsang
2. Add the following inside the <Directory /var/www/dannytsang>:
   
<Directory /var/www/dannytsang>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^wp-(admin|login|register)(.*) https://%{SERVER_NAME}/wp-$1$2 [L]
</IfModule>
</Directory>

   The RewriteRule is the rule for when it would change the URL to https. In this case it looks for any of the following combinations after the domain wp-admin, wp-login, wp-register e.g www.dannytsang.com/wp-login.php. Multiple rules may be added to match all sorts of sub directories.
3. Save and exit the virtual host file.
4. Add the following line to the non secure site so that going from a login / admin page to the normal part of the site e.g logging out and going back to the front page will change it to non https
   vi /etc/apache2/sites-available/dannytsang

<Directory /var/www/dannytsang>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule !^wp-(admin|login|register)(.*) - [C]
RewriteRule ^(.*)$ http://%{SERVER_NAME}/$1 [L]
</IfModule>
</Directory>

5. Save and exit the virtual host file.
6. Enable mod_rewrite in Apache sudo a2enmod rewrite
7. Enable the new secure virtual host sudo a2ensite dannytsangssl
8. Restart Apache sudo service apache2 restart
9. Edit the WordPress config file (wp-config.php) and add the following line to the bottom of the file define('FORCE_SSL_ADMIN', true);

Debugging Tools & Methods

I found Google Chrome to be the best browser to troubleshoot SSL problems. Chrome is the most promient in showing HTTPS problems (see non secure sources screenshot above). The problem with Chrome was that it was more strict on showing the “padlock” HTTPS icon.

Go to the Console in Chrome (Ctrl+Shift+j > Console tab) lists insure content warnings.

Summary

Whilst going through this setup process myself it has been a long and arduous process (even if it doesn’t look it from this write up). I have learnt:

• Check the Certificate Authority – Ensure it is from a reputable organization issuing / signing the SSL. SSL providers are not necessarily the company which signs them. Also cheap SSLs may be signed by an unknown / not recognised as a verified CA. This list of CA vary from browser to browser.
• Non secure SSL – Even if a page or site is encrypted using the HTTPS protocol, the page is not deemed secure if any information on a page comes from a non secure site.
• Check WordPress Plugins – Some plugins are not HTTPS aware for example lightbox2.
• Clear Cookies & Cache – Sometimes browsers cache information and so even restarting the webserver may still result in an unsecure page / site. I found the best practice was to close the browser and start it up again. A quicker way to do it is to clear the cache and cookies associated with the site.

forumserverapache2SSL

Generate a CSR: Apache (Open SSL)

WordPress Administration Over SSL

apache2 – redirect http to https

Intermediate Certificate Authority (CA) & SSL Installation Instructions for Apache

Related posts:

1. Enable SFTP On VSFTPD In Ubuntu
2. Awstats
3. Apache 2 Hardening Tips