Tag etiopia

Latest posts for tag etiopia

2009-06-06 00:57:39+02:00

First day in Addis

First day in Addis Ababa, after the introductory session for this 10 days Linux training.

Interesting new quotes I picked up from the excellent presentation of Dr. Dawit:

Much that I bound I could not free Much that I freed returned to me

(I didn't manage to transcribe the attribution)

And this one for Bubulle, about translation:

When you speak to me in my language you speak to my heart when you speak to me in English you speak to my head


Incomplete list of questions I've been asked, in bogosort -n order:

I'm happy to find that we've been successful in building more and more good answers for these questions.

eng etiopia pdo
2009-06-06 00:57:39+02:00

Fifth day in Addis


To get samba:

    apt-get install samba samba-doc smbclient

To get the Samba Web Administration Tool:

    apt-get install swat netkit-inetd

The configuration is in /etc/samba:

One could use swat at http://localhost:901/ but it does not work easily on Ubuntu.

To see what is shared:

    smbclient -L localhost

To access a share:

    smbclient //localhost/name-of-the-share

To add a new user:

    sudo smbpasswd -a username

To change the password of a user:

    sudo smbpasswd username

To test accessing a share as a user:

    smbclient //localhost/web -U yared


    man smb.conf

To force the user or group used to access a share:

    force user = enrico
    force group = www-data

To set the unix permissions for every created file:

    # For files
    create mask = 0664
    # For directories
    directory mask = 0775

Example share configuration for a webspace:

    mkdir /var/www/public
    chgrp www-data /var/www/public
    chmod 0775 /var/www/public

Then, in /etc/samba/smb.conf:

       comment = Webspace
       path = /var/www
       writable = yes
       public = no
       force group = www-data
       create mask = 0664
       directory mask = 0775

Example share configuration for a read only directory where only a limited group of people can write:

       comment = Documents
       path = /home/enrico/Desktop/documents
       force user = enrico
       public = yes
       writable = no
       write list = enrico, yared

Print server (CUPS)


    apt-get install cupsys


Example IPP URIs:


For example:


"This printer uri scheme can be used to contact local or remote print services to address a particular queue on the named host in the uri. The "ipp" uri scheme is specified in the Internet Print Protocol specifications and is actually much more free form that listed above. All Solaris and CUPS based print queues will be accessed using the formats listed above. Access to print queues on other IPP based print servers requires use of the server supported ipp uri format. Generally, it will be one of the formats listed above."

LDAP Lightweight Directory Access Protocol


    apt-get install ldap-utils slapd

The configuration is in /etc/ldap.

To access a ldap server:

    apt-get install gq

Various LDAP HOWTOs:


The configuration file is in /boot/grub/menu.lst.

The documentation can be accessed as info grub after installing the package grub-doc.

Quick list of keys for info:

Grub trick to have a memory checker:

  1. apt-get install memtest86+
  2. Add this to /boot/grub/menu.lst:
    title Memory test
        root (hd0,5)
        kernel /boot/memtest86+.bin


With iptables:

    man iptables
    # Only allow in input the network packets
    # that are going to the web server
    iptables -P INPUT DROP
    iptables -A INPUT --protocol tcp --destination port 80 -j ACCEPT
    # To reset the input chain as the default
    iptables -F INPUT
    iptables -P INPUT ACCEPT

Some links:



    apt-get install squid

The configuration is in /etc/squid/squid.conf.

To allow the local network to use the proxy:

    # Add this before "http_access deny all"
    acl our_networks src
    http_access allow our_networks

To use a parent proxy:

    cache_peer proxy.aau.edu.et     parent    8080  0  proxy-only no-query

Pay attention because /var/spool/squid will grow as the cache is used. The maximum cache size is set in the directive cache_dir.

Information about squid access control is at http://www.squid-cache.org/Doc/FAQ/FAQ-10.html

To check that the configuration has no syntactic errors: squid -k parse.

To match urls:

    acl forbiddensites url_regex [-i] regexp

For info about regular expressions:

    man regex

Example filtering by regular expression:

    acl skype url_regex -i [^A-Za-z]skype[^A-Za-z]
    http_access deny skype

Transparent proxy setup: http://www.tldp.org/HOWTO/TransparentProxy.html

Problems found today

Hiccups of the day:

Update: Marius Gedminas writes:

I think it would be a good idea to mention that running

     iptables -P INPUT DROP

in the shell is a Bad Idea if you're logged in remotely via SSH.

eng etiopia pdo tips
2009-06-06 00:57:39+02:00

Fourth day in Addis

Unix file permissions:

    drwxr-xr-x   2 root root    38 2006-07-14
    +- Is a directory

    drwxr-xr-x   2 root root    38 2006-07-14
      +- User permissions (u)

    drwxr-xr-x   2 root root    38 2006-07-14
         +- Group permissions (g)

    drwxr-xr-x   2 root root    38 2006-07-14
            +- Permissions for others (o)

    drwxr-xr-x   2 root root    38 2006-07-14
                    +- Owner user

    drwxr-xr-x   2 root root    38 2006-07-14
            Owner group -+

Other bits:

The executable bit for directories means "can access the files in the directory".

If a directory is readable but not executable, then I can see the list of files (with ls) but I cannot access the files.

To access a file, all the directories of its path up to / need to be executable.

Commands to manipulate permissions:

Example setup for a website for students:

    # Create the group 'students'
    mkdir /var/www/students
    chgrp students /var/www/students
    chmod 2775 /var/www/students

    # If you don't want other users to read the files of the students:

    chmod 2770 /var/www/students
    adduser www-data students
     (this way the web server can read the

    # when you add a user to a group, it does not affect running processes:

     - users need to log out and in again
     - servers need to be restarted


in /etc/apache/apache2.conf (set it to your IP address)

Apache troubleshooting:

This it is always a good thing to do before restarting or reloading apache.

To install PHP

To install MySQL

To use MySQL from PHP:

    apt-get install php5-mysqli php5-mysql

Problems found today:

eng etiopia pdo tips
2009-06-06 00:57:39+02:00

Third day in Addis

Believe it or not, a network that fails often is the best thing to have when you are teaching network troubleshooting.

Various tools useful for networking:


    # Look at what machines are active in the local network:
    nmap -sP

    # Look at what ports are open in a machine:

It can be used to see if there is traffic, and to detect traffic that shouldn't be there.

Useful tip:

    # Convert a unix timestamp to a readable date
    date -d @1152841341

What happens when you browse a web page:

  1. type the address www.google.com in the browser
  2. the browser needs the IP address of the web server:

  3. look for the DNS address in /etc/resolv.conf (/etc/resolv.conf is created automatically by the DHCP client)

  4. try all the DNS servers in /etc/resolv.conf until one gives you the IP address of www.google.com
  5. take the first address that comes from the DNS (in our case was

  6. figure out how to connect to

  7. consult the routing table to see if it's in the local network:

    1. if it's in the local network, then look for the MAC address (using ARP
      • Address Resolution Protocol)
    2. if it'd not in the local network, then send through the gateway (again using ARP to find the MAC address of the gateway)
  8. Send out the HTTP request to the local web server or through the gateway, using the Ethernet physical protocol, and the MAC address to refer to the other machine.

Troubleshooting network problems:

  1. See if the network driver works:

  2. With ifconfig, see if you see the HWaddr:. If you do not see it, then the linux driver for the network card is not working. Unfortunately there's no exact way to say that it works perfectly

  3. See if you have an IP address with ifconfig. If you find out that you need to rerun DHCP (for example, if the network cable was disconnected when the system started), then you can do it either by deactivating/reactivating the Ethernet interface using System/Administration/Networking or, on a terminal, running:

    # ifdown eth0
    # ifup eth0

    If you don't get an IP, try to see if the DHCP server is reachable by running:

    $ arping -D [address of DHCP server]
  4. See if the local physical network works:

  5. With sudo mii-tool, see if the cable link is ok. If it's not, then it's a problem in the cable or the plugs, or simply the device at the other end of the cable is turned off.

  6. Try arping or ping -n on a machine in the local network (like the gateway) to see if the local network works.

  7. See if the DNS works:

  8. Find out the DNS address:

    cat /etc/resolv.conf
  9. If it's local, arping it

  10. If it's not local, ping -n it
  11. Try to resolve a famous name using that DNS:

    $ host [name] [IP address of the DNS]
  12. Try to resolve the name of the machine you're trying to connect. If you can resolve a famous name but not the name you need, then it's likely a problem with their DNS.

  13. If you use a proxy, see if the proxy is reachable: check if the proxy name resolves to an IP, if you can ping it, if you can telnet to the proxy address and port:

    $ telnet [proxy address] [proxy port]

    you quit telnet with ^]quit.

  14. If you can connect directly to the web server, try to see if it answers:

    $ telnet [address] 80

    If you are connected, you can confirm that it's a web server:

    GET / HTTP/1.0 (then Enter twice)

    If it's a web server, it should give you something like a webpage or an HTTP redirect.

When you try to setup a service and it doesn't work:

  1. check that it's running:

    $ ps aux | grep dnsmasq
  2. check that it's listening on the right port:

    $ sudo netstat -lp
  3. check that it's listening from the outside:

    $ nmap [hostname]
  4. check for messages in /var/log/daemon.log or /var/log/syslog

  5. check that the configuration is correct and reload or restart the server to make sure it's running with the right configuration:

    # /etc/init.d/dnsmasq restart


By default: works as a DNS server that serves the data in /etc/hosts.

By default: uses /etc/resolv.conf to find addresses of other DNS to use when a name is not found in /etc/hosts.

To enable the DHCP server, uncomment:


in /etc/dnsmasq.conf and set it to the range of addresses you want to serve. Pay attention to never put two DHCP servers on the same local network, or they will interfere with each others.

To test if the DHCP server is working, use dhcping (not installed by default on Ubuntu).

To communicate other information like DNS, gateway and netmask to the clients, use this piece of dnsmasq.conf:

    # For reference, the common options are:
    # subnet mask - 1
    # default router - 3
    # DNS server - 6
    # broadcast address - 28

Problems found today:

Quick start examples with tar:

    # Create an archive
    tar zcvf nmap.tar.gz *.deb

    # Extract an archive
    tar zxvf nmap.tar.gz

    # Look at the contents of an archive
    tar ztvf nmap.tar.gz

Quick & dirty way to send a file between two computers without web server, e-mail, shared disk space or any other infrastructure:

    # To send
    nc -l -p 12345 -q 1 < nmap.tar.gz

    # To receive
    nc 12345 > nmap.tar.gz

    # To repeat the send command 20 times
    for i in `seq 1 20`; do nc -l -p 12345 -q 1 < nmap.tar.gz ; done

Update: Javier Fernandez-Sanguino writes:

Your "XXX day in Addis" is certainly good reading, nice to see somebody reviewing common tools from a novice point of view. Some comments:

  • Regarding your comments on how to troubleshoot network connectivity problems I just wanted to point you to the network test script I wrote and submited to the debian-goodies package ages ago. It's available at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307694 and should do automatically most of the stuff you commented on your blog.

  • Your example to test hosts alive in the network using nmap -sP is good. However, newer (v4) versions can do ARP ping in the local network which is much more efficient (some systems might block ICMP outbount), that's the -PR option and should be enabled (by default). See http://www.insecure.org/nmap/man/man-host-discovery.html Also, you might want to add a '-n' there so that nmap does not try to do DNS resolution of the hosts (which might take up some time if your DNS does not include local IPs)

  • tcpdump, it would be wiser to turn novice users to ethereal since it has a much better UI than tcpdump and it is able to dissect (interpret) protocols that tcpdump can't analyse.

  • you are missing arp as a tool in itself, it is useful to debug network issues since if the host is local and does not show up in arp output either a) it's down or b) you don't have proper network connectivity. (If you are missing an ARP entry for your default gateway your setup is broken)

Update: Marius Gedminas writes:

Re: http://www.enricozini.org/blog/eng/third-day-in-addis

In my experience if sudo cannot resolve the hostname (e.g. if you break /etc/hosts), you can still use sudo, but you have to wait something like 30 seconds until the DNS request times out.

I tried to break my /etc/hosts (while keeping a root shell so I can fix it if something goes wrong), but couldn't even get the timeout now. Sudo just said unable to lookup $hostname via gethostbyname() and gave me a root shell.

eng etiopia pdo tips
2009-06-06 00:57:39+02:00

Addis course Tasks & Skills questions

What does it do?

What command would you use to add a new username and password to /etc/apache2/students? (you can write the entire commandline if you know it, but just the name of the command is fine)

What are their advantages and disadvantages?

eng etiopia pdo
2009-06-06 00:57:39+02:00

Eight day in Addis

Useful things to keep in mind when setting up a service:

Example use of vim block selection:

To change network configuration with config files, edit:


To also setup DNS in /etc/network/interfaces, use dns-search and dns-nameservers (for this to work, you need to have the package resolvconf):

dns-search dream.edu.et

To make a router that connects to the internet on demand using a modem:

apt-get install diald

To see the path of network packets:


Basic NAT script:


modprobe iptable_nat
iptables -t nat -A POSTROUTING -o $OUT -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

What happens at system startup:

  1. the BIOS loads and runs the boot loader
  2. the boot loader loads the kernel and the inintrd ramdisk and runs the kernel
  3. the kernel runs the script 'init' in the initrd ramdisk
  4. the script 'init' mounts the root directory
  5. the script 'init' runs the command /sbin/init in the new root directory
  6. 'init' starts the system with the configuration in /etc/inittab

To install a new startup script:

sudo ln -s /usr/local/sbin/firewall /etc/init.d
sudo update-rc.d firewall defaults 16 75

Normally you can just do:

sudo update-rc.d [servicename] defaults

To have a look at the start and stop order numbers, look at /etc/rc2.d for other start scripts and /etc/rc0.d for other stop scripts

To test a proxy, low level way:

$ telnet proxy 8080
Connected to proxy.dream.edu.et.
Escape character is '^]'.
GET http://www.google.com HTTP/1.0 [press enter twice]
eng etiopia pdo tips
2009-06-06 00:57:39+02:00

Ninth day in Addis


To enable remote logins with ssh

apt-get install openssh-server

Then you can login with:

$ ssh efossnet@proxy.dream.edu.et

To verify the host key fingerprint of a machine:

$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

Note: you need to verify it before logging in!

More information at http://www.securityfocus.com/infocus/1806

Example ssh usages

To log in:

    $ ssh efossnet@proxy

To run a command in the remote computer:

    $ ssh efossnet@proxy "cat /etc/hosts"

To copy a file to the remote computer:

    $ scp Desktop/july-18.tar.gz efossnet@proxy:

To copy a file from the remote computer:

    $ scp efossnet@proxy:july-18.tar.gz /tmp/

Beware of brute-force login attempts

Warning about SSH: there are people who run automated scans for ssh servers and try to login using commonly used easy passwords.

If you have an SSH server on the network, use strong passwords, or if you can it's even better to disable password authentication: in /etc/ssh/sshd_config, add:

    PasswordAuthentication no

To log in using public/private keys:

  1. Create your key:

    ssh-keygen -t rsa
  2. Copy your public key to the machine where you want to log in:

    ssh-copy-id -i .ssh/id_rsa.pub efossnet@proxy
  3. Now you can ssh using your RSA key

If you use ssh often, read these:


Problems we had today with the proxy:

ssl does not work

Reason: squid tries to directly connect to the ssl server, but the AAU network wants us to go through their proxy.

Ideal solution: none. There is no way to tell squid to use a parent proxy for SSL connections.

Solution: update the documentation for the Dream university users telling to setup a different proxy for SSL connections.

Longer term solution: get the AAU network admins to enable outgoing SSL connections from the Dream university proxy.

Other things that can be done:

Browsing normal pages returns an error of 'Connection refused'.

In the logs, the line is:

1153294204.912    887 TCP_MISS/503 1441 GET http://www.google.com.et/search? - NONE/- text/html

That "/503" is one of the HTTP error codes.

Explanation of the error codes:

Reason: the other proxy is refusing connections from our proxy.

Solution: none so far. Will need to get in touch with the admins of the other proxy to try to find out why it refuses connection to our proxy, and how we can fix the problem.

postfix on smtp.dream.edu.et

Basic information is at http://www.postfix.org/basic.html.

Difference between mail name and smarthost:

Quick way to send test mails:

apt-get install mailx
echo ciao | mail efossnet@localhost

To configure a workstation not to do any mail delivery locally and send all mail produced locally to smtp.dream.edu.et:

  1. install postfix choosing "Satellite system"
  2. put smtp.dream.edu.et as a smarthost.

To setup a webmail: apt-get install squirrelmail (on a working apache setup).

To setup mailing lists: apt-get install mailman, then follow the instructions in /usr/share/doc.

Mail server issues we encountered

When a mail is sent to efossnet@localhost, the system tries to send it to efossnet@yoseph.org


Cause: the user efossnet had forgotten that he or she had setup a .forward file in the home directory.


 rm ~efossnet/.forward


To add a new website:

  1. cd /etc/apache2/sites-available
  2. sudo cp default course
  3. sudo vi course:

    1. Remove the first line
    2. Add a ServerName directive with the address of your server: ServerName course.dream.edu.et
    3. Customize the rest as needed: you at least want to remove the support for browsing /usr/share/doc and you want to use a different document root.
  4. sudo a2ensite course

  5. sudo /etc/init.d/apache2 reload

More VIM

Undo: u (in command mode)

Redo: ^R (in command mode)

You can undo and redo multiple times.

To recover a lost password for root or for the ubuntu admin user

Boot with a live CD, mount the system on the hard disk (the live CD usually does it automatically), then edit the file /etc/shadow, removing the password:




You can edit the file because, in the live CD system, you can always become root.

After you do this, reboot the system: you can log in without password, and set yourself a new password using the command passwd.

Installing packages not on the CDs

To get a package for installing when offline:

  1. apt-get --print-uris install dnsmasq
  2. Manually download the packages at the URLs that it gives you

Otherwise, apt-get --download-only install dnsmasq will download the package for you in /var/cache/apt/archives.

You can install various previously downloaded debian packages with:

dpkg -i *.deb


There are various ways:

Makes a low-level dump of the file system.

It must be used for every different partition.

It makes the most exact backup possible, including inode numbers.

It can do full and incremental backups.

To see the type of the filesystems, use 'mount' with no parameters.

To restore: restore or xfsrestore.

Filesystem independent.

It can work accross partitions.

It correctly backups permissions and hard links.

It can do full and incremental backups.


    tar lzcpf backup.tar.gz /home /var /etc /usr/local
    tar lzcpf root.tar.gz /

To restore:

    tar zxpf backup.tar.gz

Filesystem independent.

Uses hard drive as backup storage.

Always incremental.

It cannot do compression.

Unchanged files in new backups are just links to old backups, and do not occupy space.

Any old backup can be deleted at any time without compromising the others.

It can be used to provided a "yesterday's files" service to users (both locally and exported as a read-only samba share...).

To restore, just copy the files from the backup area.

It is a network backup system.

It can do full and incremental backups.

You can have a backup server which handles the storage and various backup clients that send the files to backup to the server.

It takes some studying to set up.

To restore: it has its own tool.

Some data requires exporting before backing it up:

To restore:

    dpkg --set-selections < list
    debconf-set-selections < pkgconfig
    apt-get dselect-upgrade

If you do this, they you only need to backup /etc, /home, /usr/local, /var.

To restore:

    zcat name-of-database.dump.gz | mysql

You can schedule these dumps to be made one hour before the time you make backups.

Scheduling tasks

As a user:

crontab -e

As root: add a file in one of the /etc/cron.* directories.

In cron.{hourly,daily,weekly,monthly} you put scripts.

In the other directories you put crontab files (man 5 crontab).

If the system is turned off during normal maintainance hours, you can do two things:

  1. Change /etc/crontab to use different maintanance hours
  2. Install anacron (it's installed by default in ubuntu)

For scheduling one-shot tasks, use at(1):

$ at 17:40
echo "Please tell Enrico that the lesson is finished" | mail efossnet@dream.edu.et

When and how to automate

  1. First, you manage to do it yourself
  2. Then, you document it
  3. Then, you automate it

Start at step 1 and go to 2 or 3 if/when you actually need it.

(credits to sto@debian.org: he's the one from which I heard it for the first time, said so well).

Interesting programs to schedule during maintanance

Important keys to know in a Unix terminal

These are special keys that work on Unix terminals:

Therefore, if the terminal looks like it got stuck, try hitting ^Q.

Problems we had today with postfix


    $ host -t mx dream.edu.et
    Host dream.edu.et not found: 3(NXDOMAIN)

Solution: tell dnsmasq to handle a MX record also for dream.edu.et:


Reason: postfix was making complaints which mentioned localhost as a domain name.

Solution: fixed by changing 'myhostname' in main.cf to something different than localhost.

Note: solved by luck. Investigate why this happened.

Problems found yesterday and today

Otherwise, one can add a new (disabled) site that can be used as a template for new sites instead of default.

eng etiopia pdo tips
2009-06-06 00:57:39+02:00


Da una canzone in amarico:

"Il tuo amore è diventato vecchio

come gli edifici costruiti dagli italiani"

etiopia ita life
2009-06-06 00:57:39+02:00


È interessante, bello e triste allo stesso tempo trovarsi a ridefinire il significato di "Abissinia". E maledire che per i primi 30 anni della tua vita, quella parola l'hai sentita soltanto quando uno stronzo cantava "Faccetta nera".

etiopia life rant
2009-06-06 00:57:39+02:00

Procedure to check if all the services of Dream University are up and running

Tenth day in Addis

If a machine blocks pings, use arping instead.

  1. Test DHCP:

    $ sudo ifdown eth0
    $ sudo ifup eth0
    $ ifconfig
  2. Test the DNS:

    # See if the DNS machine is on
    # The network
    $ ping -n
    # See if the DNS resolves names
    $ host www.dream.edu.et
  3. Test the gateway:

    # Ping the gateway
    $ ping gateway
    # Ping an outside host
    $ ping -n
  4. Test the proxy:

    # Ping the proxy
    $ ping proxy
    # Open a web page and see if it displays
    # See if it caches
    http_proxy=http://proxy.dream.edu.et:3030/ wget -S -O/dev/null http://www.enricozini.org  2>&1 | grep X-Cache
  5. Test the mail server:

    $ ping smtp
    $ nmap smtp -p 25 |grep 25/tcp
    $ if nmap gateway -p 25 |grep 25/tcp | grep -q open ; then echo "It works"; fi
    $ send a mail and see if you receive it

To do more advanced network and service monitoring, try nagios:

New useful tools seen today

wget - The non-interactive network downloader.

Special devices

Example uses:

wget -O/dev/null http://www.example.org

dd if=/dev/zero of=testdisk bs=1M count=50
mke2fs testdisk
sudo mount -o loop testdisk  /mnt

Tiny little commands

Example uses:

Some more shell syntax

Some people run commands ignoring the standard error: command 2> /dev/null this causes unexpected error messages to go unnoticed: please do not do it.

What to check if a machine is very slow

More VIM command mode

Command mode allows to perform various text editing functions.

You work by performing operations on selected blocks of text.

Some common operations:

Some common blocks:


The best way to learn more vim is always to run vimtutor.

Installing squirrelmail

To install squirrelmail:

  1. apt-get install squirrelmail
  2. /usr/sbin/squirrelmail-config and configure IMAP and SMTP.

    In our case, since we use IMAPS, the IMAP server is imap.dream.edu.et, port 993, secure IMAP enabled and SMTP is smtp.dream.edu.et. 3. Read /usr/share/doc/squirrelmail/README.Debian.gz (with zless) for how to proceed with setup. A short summary: * link /etc/squirrelmail/apache.conf into the apache conf.d directory * customise /etc/squirrelmail/apache.conf for example setting up the virtual hosts, or running it only on SSL

To have different virtual hosts over HTTPS, you need to have a different IP for every virtual host: name based virtual hosts do not work on HTTPS.

You can configure multiple IP addresses on the same computer: use network interfaces named: eth0:1, eth0:2, eth0:3... These are called interface aliases.

You cannot setup interface aliases using the graphical network configuration and you need to add them in /etc/network/interfaces:

    iface eth0:1 inet static
    auto eth0:1

This is the trick commonly used to put different virtual HTTPS hosts on the same computer.


squid documentation:

Shell programming:

Performance analysis:

Setting up mail services:

eng etiopia pdo tips