Braindump

Seventy-five percent of the servers I have been working on over the last few months have been Linux.  Mostly Ubuntu.  This due to the fact that my company has allow me to start migrating over and building new servers on this platform.  With that, we need secure ways to access the servers.  On occasion I’ll use webmin but mostly just SSH and whatever website is running on it (management, applications, etc).  Webmin takes care of itself with a self signed certificate and SSH creates its own keys.  Pretty easy there.  Now, for the website that is running on the box, out of the gate it’s unencrypted TCP/80 traffic running from an Apache 2 web server.  This short tutorial will cover how to create a CSR with OpenSSL for use when getting a certificate from one of the CA’s.  I won’t explain everything here but you may use Ubuntu’s https-help guide if you need more info found here.

First, let’s make sure we have the right packages installed.

apt-get install openssh apache2 apache2.2-common php5

Now let’s enable SSL for apache2

sudo a2enmod ssl

Now lets create the server SSL key.

cd /etc/ssl/private
openssl genrsa -des3 -out dns.server.com.key 1024

Ok, now that we have the key, let’s create the CSR to be given to the CA.

openssl req -new -key dns.server.com.key -out dns.server.com.csr

It will prompt you for the passphrase and some other bits of information.  The most important one is site name.  This must match the name of your server.  Something like mail.domain.com or www.domain.com would be appropriate here.

The CSR can now be uploaded to whatever CA you choose.  I use GoDaddy because they are so cheap.

If you do not want to purchase a certificate you can create your own self signed cert with the following command.

openssl x509 -req -days 365 -in dns.server.com.csr -signkey dns.server.com.key -out dns.server.com.crt
cp /etc/ssl/private/dns.server.com.crt /etc/ssl/certs

Now that we have the cert created, let’s configure Apache to use it. Add the following 3 lines to your website configuration.  The default one is located in /etc/apache2/sites-available/default.

SSLEngine on
SSLCertificateFile /etc/ssl/certs/dns.server.com.crt
SSLCertificateKeyFile /etc/ssl/private/dns.server.com.key

Save that config file and enable Apache to listen on 443 for HTTPS traffic.  Add the following line to /etc/apache2/ports.conf

Listen 443

Restart your Apache2 process and you should have a fully functional SSL enabled website.

/etc/init.d/apache2 force-reload && /etc/init.d/apache2/restart

vi is neat.  Most of the engineers I work with like nano or pico but I like vi.  For some reason it makes me feel more like a geek when I’m using it.  In fact, I’ve been using it so often lately that I have been trying to use vi command in notepad (obviously without success).  This tutorial will cover only the basics but that should be enough to get you started.  A much better tutorial is available here.

vi /etc/network/interfaces - opens /etc/network/interfaces in vi

i - insert
/ - search
G - [Shift] g - go to bottom of page
dd - delete the line
d <- or d -> - d [left or right arrow] delete 1 character in that direction
10G - 10 [Shift] g - move to line 10 (obviously number can be replaced)
10dd - delete 10 lines from cursor and below (again, number can be changed)
:q - quit (no changes may have been made)
:q! - quit (do not save changes)
:wq - write quite (save and quit)
:w - write (save)

Ok, now that you have mastered the basics of vi, please refer all other needs to the link provided above.  Hope you like vi as much as I do.

NOTE:  Ubuntu (and maybe debian) have a few things that the built in vi program have that seem a little strange.  I usually install vim just to be safe.  to do this run sudo apt-get install vim-full.


The original post for this is from the Ubuntu Geek website but I learned something new from it so I thought I would share my new favorite way to keep a package from being updated in Ubuntu.  This goes for pretty much any of the newer releases of Ubuntu.  I used to use dpkg to do this but now I like aptitude much better.  It’s easier for me.

To put a package on hold use this command.

sudo aptitude hold snort-mysql

To remove the hold use this command.

sudo aptitude unhold snort-mysql

To keep your entire system (I think) from being updated simply use this command.

sudo aptitude hold

And to remove the hold use this command.

sudo aptitude unhold

Very easy isn’t it.  Yep, that’s what I thought. I’ll be able to deploy appliances in the field now without worrying if an update is going to break something before I get a chance to fix the issue.

I love Ubuntu…it’s undubitably the best free OS on the planet. However, there is one thing that I absolutely hate about Ubuntu.. My inability to SSH into the system from anywhere. I know it is this way by design and that it’s a “security” feature but it still annoys me. So the following commands are what I use to get the system ready for use after a fresh install.

apt-get install openssh-server openssh-client

That’s it. If you want to play around a little more you can configure Ubuntu’s firewall in just a few simple steps as well. In my example I will enable tcp/80, tcp/443, tcp/22 and udp/53 inbound.

ufw disable
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 22/tcp
ufw allow udp/53
ufw enable

And then you can validate what you have entered with:

ufw status

The output will be similar to this:

Firewall loaded

To Action From
– —— —-
80:tcp ALLOW Anywhere
443:tcp ALLOW Anywhere
22:tcp ALLOW Anywhere
53:udp ALLOW Anywhere

And that’s really all I do…it’s definately not much but it will be enough to get you started connecting remotely.

Windows is definitely the big player in the game still, however Linux usage is gaining some steam. This post is going to concentrate on what programs you can use to make the switch to Linux. This process is not going to be entirely pain free if you are an avid user of all things computer related, however, if you are just a basic office user/worker or only need to check your email and play a few basic online games, Linux might be for you. There are literally thousands of choices for most applications out there so I’m only going to name the ones that I like or use and also only ones that work on Ubuntu. If you have any additions, please let me know.

Windows vs. Linux (Ubuntu)

Internet Browsing
W - Internet Explorer
U - Firefox

Email Clients
W - Outlook, Outlook Express
U - Thunderbird, Evolution

Chat Clients
W - MSN, Yahoo, Google Talk, AIM, mIRC
U- Gaim / Pigdin, xChat, BitchX

Com Port Communications
W - Hyperterminal
U - MiniCom

FTP Client
W - Filezilla FTP Client
U - Filezilla FTP Client

Remote Access Servers
W - Terminal Server, RealVNC, TightVNC, WinVNC
U - FreeNX, RealVNC, TightVNC

P2P Filesharing
W - Limewire, Bearshare, Bittorrent
U - Limewire, Azureus

VoIP Clients
W - Skype, X-Lite
U - Skype, Linphone, Twinkle

Drawing / Photo Editing
W - Paint.net, Photoshop, MSPaint
U - GIMP
3D Annimation / Rendering
W - 3D Studio MAX, Blender
U - Blender, Maya

DVD Players
W - Windows Media Player, PowerDVD
U - MPlayer, Kaffine, VLC

MP3 / Music Players
W - Winamp, iTunes
U - RhymeBox, K3b

Office Productivity
W - Microsoft Office
U - OpenOffice.org

Network / Relation Mapping
W - Microsoft Visio
U - Dia

Accounting / Financial
W - Quicken, Microsoft Money
U - GnuCash

Desktop Publishing
W - Microsoft Publisher, Quark
U - Scribus

PDF Editing
W - Adobe Acrobat Professional
U - PDFEdit, pdftk

Imaging
W - Norton Ghost
U - G4u, dd

Partition Resizing
W - Norton Partition Magic
U - GParted

Backup Software
W - Symantec Backup Exec
U - BackupPC, Amanda

Web Servers
W - Microsoft IIS
U - Apache

File Servers
W - Microsoft File Services
U - Samba

Email Servers
W - Microsoft Exchange
U - Postfix, Sendmail

AntiVirus Software
W - Symantec AV, Mcafee
U - ClamAV, AVG

For more of these “like” software lists, please visit what I believe to be the most complete list on the internet, Table of Equivalents.