Ninth day in Addis

SSH

To enable remote logins with ssh

apt-get install openssh-server

Then you can login with:

$ ssh efossnet@proxy.dream.edu.et

To verify the host key fingerprint of a machine:

$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

Note: you need to verify it before logging in!

More information at http://www.securityfocus.com/infocus/1806

Example ssh usages

To log in:

    $ ssh efossnet@proxy

To run a command in the remote computer:

    $ ssh efossnet@proxy "cat /etc/hosts"

To copy a file to the remote computer:

    $ scp Desktop/july-18.tar.gz efossnet@proxy:

To copy a file from the remote computer:

    $ scp efossnet@proxy:july-18.tar.gz /tmp/

Beware of brute-force login attempts

Warning about SSH: there are people who run automated scans for ssh servers and try to login using commonly used easy passwords.

If you have an SSH server on the network, use strong passwords, or if you can it's even better to disable password authentication: in /etc/ssh/sshd_config, add:

    PasswordAuthentication no

To log in using public/private keys:

  1. Create your key:

    ssh-keygen -t rsa
    
  2. Copy your public key to the machine where you want to log in:

    ssh-copy-id -i .ssh/id_rsa.pub efossnet@proxy
    
  3. Now you can ssh using your RSA key

If you use ssh often, read these:

proxy

Problems we had today with the proxy:

ssl does not work

Reason: squid tries to directly connect to the ssl server, but the AAU network wants us to go through their proxy.

Ideal solution: none. There is no way to tell squid to use a parent proxy for SSL connections.

Solution: update the documentation for the Dream university users telling to setup a different proxy for SSL connections.

Longer term solution: get the AAU network admins to enable outgoing SSL connections from the Dream university proxy.

Other things that can be done:

Browsing normal pages returns an error of 'Connection refused'.

In the logs, the line is:

1153294204.912    887 192.168.0.200 TCP_MISS/503 1441 GET http://www.google.com.et/search? - NONE/- text/html

That "/503" is one of the HTTP error codes.

Explanation of the error codes:

Reason: the other proxy is refusing connections from our proxy.

Solution: none so far. Will need to get in touch with the admins of the other proxy to try to find out why it refuses connection to our proxy, and how we can fix the problem.

postfix on smtp.dream.edu.et

Basic information is at http://www.postfix.org/basic.html.

Difference between mail name and smarthost:

Quick way to send test mails:

apt-get install mailx
echo ciao | mail efossnet@localhost

To configure a workstation not to do any mail delivery locally and send all mail produced locally to smtp.dream.edu.et:

  1. install postfix choosing "Satellite system"
  2. put smtp.dream.edu.et as a smarthost.

To setup a webmail: apt-get install squirrelmail (on a working apache setup).

To setup mailing lists: apt-get install mailman, then follow the instructions in /usr/share/doc.

Mail server issues we encountered

When a mail is sent to efossnet@localhost, the system tries to send it to efossnet@yoseph.org

Investigation:

Cause: the user efossnet had forgotten that he or she had setup a .forward file in the home directory.

Solution:

 rm ~efossnet/.forward

Apache

To add a new website:

  1. cd /etc/apache2/sites-available
  2. sudo cp default course
  3. sudo vi course:

    1. Remove the first line
    2. Add a ServerName directive with the address of your server: ServerName course.dream.edu.et
    3. Customize the rest as needed: you at least want to remove the support for browsing /usr/share/doc and you want to use a different document root.
  4. sudo a2ensite course

  5. sudo /etc/init.d/apache2 reload

More VIM

Undo: u (in command mode)

Redo: ^R (in command mode)

You can undo and redo multiple times.

To recover a lost password for root or for the ubuntu admin user

Boot with a live CD, mount the system on the hard disk (the live CD usually does it automatically), then edit the file /etc/shadow, removing the password:

enrico:$1$3AJfasjJFHa234dfh230:13343:0:99999:7:::

becomes:

enrico::13343:0:99999:7:::

You can edit the file because, in the live CD system, you can always become root.

After you do this, reboot the system: you can log in without password, and set yourself a new password using the command passwd.

Installing packages not on the CDs

To get a package for installing when offline:

  1. apt-get --print-uris install dnsmasq
  2. Manually download the packages at the URLs that it gives you

Otherwise, apt-get --download-only install dnsmasq will download the package for you in /var/cache/apt/archives.

You can install various previously downloaded debian packages with:

dpkg -i *.deb

Backups

There are various ways:

Makes a low-level dump of the file system.

It must be used for every different partition.

It makes the most exact backup possible, including inode numbers.

It can do full and incremental backups.

To see the type of the filesystems, use 'mount' with no parameters.

To restore: restore or xfsrestore.

Filesystem independent.

It can work accross partitions.

It correctly backups permissions and hard links.

It can do full and incremental backups.

Example:

    tar lzcpf backup.tar.gz /home /var /etc /usr/local
    tar lzcpf root.tar.gz /

To restore:

    tar zxpf backup.tar.gz

Filesystem independent.

Uses hard drive as backup storage.

Always incremental.

It cannot do compression.

Unchanged files in new backups are just links to old backups, and do not occupy space.

Any old backup can be deleted at any time without compromising the others.

It can be used to provided a "yesterday's files" service to users (both locally and exported as a read-only samba share...).

To restore, just copy the files from the backup area.

It is a network backup system.

It can do full and incremental backups.

You can have a backup server which handles the storage and various backup clients that send the files to backup to the server.

It takes some studying to set up.

To restore: it has its own tool.

Some data requires exporting before backing it up:

To restore:

    dpkg --set-selections < list
    debconf-set-selections < pkgconfig
    apt-get dselect-upgrade

If you do this, they you only need to backup /etc, /home, /usr/local, /var.

To restore:

    zcat name-of-database.dump.gz | mysql

You can schedule these dumps to be made one hour before the time you make backups.

Scheduling tasks

As a user:

crontab -e

As root: add a file in one of the /etc/cron.* directories.

In cron.{hourly,daily,weekly,monthly} you put scripts.

In the other directories you put crontab files (man 5 crontab).

If the system is turned off during normal maintainance hours, you can do two things:

  1. Change /etc/crontab to use different maintanance hours
  2. Install anacron (it's installed by default in ubuntu)

For scheduling one-shot tasks, use at(1):

$ at 17:40
echo "Please tell Enrico that the lesson is finished" | mail efossnet@dream.edu.et
^D

When and how to automate

  1. First, you manage to do it yourself
  2. Then, you document it
  3. Then, you automate it

Start at step 1 and go to 2 or 3 if/when you actually need it.

(credits to sto@debian.org: he's the one from which I heard it for the first time, said so well).

Interesting programs to schedule during maintanance

Important keys to know in a Unix terminal

These are special keys that work on Unix terminals:

Therefore, if the terminal looks like it got stuck, try hitting ^Q.

Problems we had today with postfix

Reason:

    $ host -t mx dream.edu.et
    Host dream.edu.et not found: 3(NXDOMAIN)

Solution: tell dnsmasq to handle a MX record also for dream.edu.et:

 mx-host=dream.edu.et,smtp.dream.edu.et,50

Reason: postfix was making complaints which mentioned localhost as a domain name.

Solution: fixed by changing 'myhostname' in main.cf to something different than localhost.

Note: solved by luck. Investigate why this happened.

Problems found yesterday and today

Otherwise, one can add a new (disabled) site that can be used as a template for new sites instead of default.