Archive for category Linux
Apache2 on Ubuntu – OpenSSL CSR / Self Signed Cert
Posted by clamasters in Linux, Ubuntu, blog on July 30th, 2008
Seventy-five percent of the servers I have been working on over the last few months have been Linux. Mostly Ubuntu. This due to the fact that my company has allow me to start migrating over and building new servers on this platform. With that, we need secure ways to access the servers. On occasion I’ll use webmin but mostly just SSH and whatever website is running on it (management, applications, etc). Webmin takes care of itself with a self signed certificate and SSH creates its own keys. Pretty easy there. Now, for the website that is running on the box, out of the gate it’s unencrypted TCP/80 traffic running from an Apache 2 web server. This short tutorial will cover how to create a CSR with OpenSSL for use when getting a certificate from one of the CA’s. I won’t explain everything here but you may use Ubuntu’s https-help guide if you need more info found here.
First, let’s make sure we have the right packages installed.
apt-get install openssh apache2 apache2.2-common php5
Now let’s enable SSL for apache2
sudo a2enmod ssl
Now lets create the server SSL key.
cd /etc/ssl/private
openssl genrsa -des3 -out dns.server.com.key 1024
Ok, now that we have the key, let’s create the CSR to be given to the CA.
openssl req -new -key dns.server.com.key -out dns.server.com.csr
It will prompt you for the passphrase and some other bits of information. The most important one is site name. This must match the name of your server. Something like mail.domain.com or www.domain.com would be appropriate here.
The CSR can now be uploaded to whatever CA you choose. I use GoDaddy because they are so cheap.
If you do not want to purchase a certificate you can create your own self signed cert with the following command.
openssl x509 -req -days 365 -in dns.server.com.csr -signkey dns.server.com.key -out dns.server.com.crt
cp /etc/ssl/private/dns.server.com.crt /etc/ssl/certs
Now that we have the cert created, let’s configure Apache to use it. Add the following 3 lines to your website configuration. The default one is located in /etc/apache2/sites-available/default.
SSLEngine on
SSLCertificateFile /etc/ssl/certs/dns.server.com.crt
SSLCertificateKeyFile /etc/ssl/private/dns.server.com.key
Save that config file and enable Apache to listen on 443 for HTTPS traffic. Add the following line to /etc/apache2/ports.conf
Listen 443
Restart your Apache2 process and you should have a fully functional SSL enabled website.
/etc/init.d/apache2 force-reload && /etc/init.d/apache2/restart
60 second vi intro
Posted by clamasters in Linux, Ubuntu, blog on July 30th, 2008
vi is neat. Most of the engineers I work with like nano or pico but I like vi. For some reason it makes me feel more like a geek when I’m using it. In fact, I’ve been using it so often lately that I have been trying to use vi command in notepad (obviously without success). This tutorial will cover only the basics but that should be enough to get you started. A much better tutorial is available here.
vi /etc/network/interfaces - opens /etc/network/interfaces in vi
i - insert
/ - search
G - [Shift] g - go to bottom of page
dd - delete the line
d <- or d -> - d [left or right arrow] delete 1 character in that direction
10G - 10 [Shift] g - move to line 10 (obviously number can be replaced)
10dd - delete 10 lines from cursor and below (again, number can be changed)
:q - quit (no changes may have been made)
:q! - quit (do not save changes)
:wq - write quite (save and quit)
:w - write (save)
Ok, now that you have mastered the basics of vi, please refer all other needs to the link provided above. Hope you like vi as much as I do.
NOTE: Ubuntu (and maybe debian) have a few things that the built in vi program have that seem a little strange. I usually install vim just to be safe. to do this run sudo apt-get install vim-full.
Getting Ubuntu Ready for “REAL” use…
Posted by clamasters in Linux, Ubuntu on May 30th, 2008
I love Ubuntu…it’s undubitably the best free OS on the planet. However, there is one thing that I absolutely hate about Ubuntu.. My inability to SSH into the system from anywhere. I know it is this way by design and that it’s a “security” feature but it still annoys me. So the following commands are what I use to get the system ready for use after a fresh install.
apt-get install openssh-server openssh-client
That’s it. If you want to play around a little more you can configure Ubuntu’s firewall in just a few simple steps as well. In my example I will enable tcp/80, tcp/443, tcp/22 and udp/53 inbound.
ufw disable
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 22/tcp
ufw allow udp/53
ufw enable
And then you can validate what you have entered with:
ufw status
The output will be similar to this:
Firewall loaded
To Action From
– —— —-
80:tcp ALLOW Anywhere
443:tcp ALLOW Anywhere
22:tcp ALLOW Anywhere
53:udp ALLOW Anywhere
And that’s really all I do…it’s definately not much but it will be enough to get you started connecting remotely.
Switchvox PBX replaced my trixbox
Posted by clamasters in Linux on March 27th, 2008
This was a pretty quick change but one of my friends recommended that I try out Switchvox which is an IP PBX build on Asterisk and is owned by Digium. I took a few looks at the webpage and I was pretty much sold. It looked so easy (and pretty). I installed it on a separate machine that I just picked up from a school district that was getting rid of PC’s for dirt cheap from an old computer lab. The setup was almost the same as trixbox but had fewer questions for me to answer making it simpler overall. Once installed, the first thing that I noticed was the SSL based access to the box was the only way to manage the server. This was cool and questionable at the same time as command line traditionally is the easiest/best way to debug anything. Well, I logged into the server with my friend on the phone, added in my Teliax information and in 2 minutes I was able to call out. This was amazing in my opinion. Something this easy has to come with a price tag. Nope, I’m using the free edition…with a big smile on my face. 
A few minutes later and I was able to call through my provider from my cell and hit voicemail (that was already setup). The setup of dial plans, providers, hardware interfaces, and extension is SO EASY. Much easier than trixbox and I thought it was easy. Switchvox even auto detected my Sipura SPA-1000 device. At this point I was completely sold. To be honest, the only complaint that I have at this point is the inability to go to command line to debug stuff. That’s it. I would recommend this product to any home or small business.
trixbox now working
Posted by clamasters in Linux on March 20th, 2008
Well, a few weeks ago I really wanted to get a home phone setup for my house. My wife an I have been using our cell phones for pretty much everything for the last 2 years and thought it would be a good time to get something else. So instead of taking the easier route with a telephone company, I chose to setup Asterisk on an old extra computer with a Sipura SIP converter connected to a traditional home phone. My VoIP provider is TelIAX out of Colorado and so far has been pretty cheap. I would say the support isn’t the best but as long as you know what you are doing, the system is always online. The real reason I chose them was their IAX2 support. I didn’t want to have a huge number of ports opened on my firewall to allow SIP to work. Also, traditionally SIP has not been the nicest with NAT though Asterisk does a pretty good job with that issue.
Instead of going command line or even installing the package manually, I chose Fonality’s trixbox CE which is free and is an all-in-one solution for IP telephone. At least on the server side. Install is straight forward, answer a few questions and it’ll eventually reboot and you’ll have a functioning Asterisk server with FreePBX installed as well as some other goodies.
Once you have trixbox up and running, you login to the web GUI and start configuring. Mine is http://192.168.1.10. Under FreePBX I had to configure 3 things:
1. Trunk – This is to tell Asterisk who to connect to for inbound and outbound calling. You have to configure things like registration strings, usernames, passwords, and any specific information for your provider. I have attached my configuration to this post.
2. Extension – I created a new extension (201) to allow my Sipura SPA-1000 to register to my trixbox. The setup on that was fairly easy with just an extension number, password and a few options for voicemail and fax.
3. Inbound/Outbound routes – Tell Asterisk to use a specif trunk for outbound calls and specify what dial patterns you want it to pick up on. Then on inbound you need to tell Asterisk what extensions to ring when a call is coming in.
That’s it. Really, really simple. This was not my first time with trixbox but it was the first time that I actually got it to work. I was quite surprised how clean the calls sound through the Internet, I was expecting to need to do QoS to get it right. I’ll still do that but so far I have not needed to.
My next goal is to get some of the advanced features running. Music on hold, failover call routing, etc.