Debian/Ubuntu Tips and Tricks

Debuntu

Debian/Ubuntu Tips and Tricks

Archive for the 'Administration' Category

How Tos on administration. How to make your system run smoothly, tips and tricks on getting over common troubles.

How-To: Bash Parameter Expansion and Default Values

Posted by chantra on 28th January 2013

Bash is a sh-compatible command language interpreter that executes commands read from the standard input or from a file.
There is much more to bash than running a sequence of commands, one of the features bundled with bash is parameter expansion.

Any shell user has most likely used shell variables, be it $1 or $myvar, to save values... but there is more to it. This tutorial will cover a subset of shell parameter expansion that can become really handy and save you a lot of time.

Read the rest of this entry »

Tags: , , ,
Posted in Administration, HowTo, Softwares, System | No Comments »

Mastering Top

Posted by chantra on 22nd January 2013

top is most likely one of the most known Linux command and also one of the most used one, however most people do not take full advantage of its capabilities.

In this tutorial, we will see a few usages of top that will make allow you to get more out of it.

Read the rest of this entry »

Tags: , ,
Posted in Administration, HowTo, System | 4 Comments »

How-To: OpenVPN on Debian Squeeze with Username/Password authentication

Posted by chantra on 16th January 2013

Creating the configuration

Now that we have our certificates ready, we need to create a set of config for the server and the client.

Server side

On the server side, you will need to create the file /etc/openvpn/server.conf and edit it with:

dev tun
proto udp
port 1194
# since OpenVPN 2.1 we can use topology subnet
topology subnet
# if we want to change the temp directory location
; tmp-dir /dev/shm
# certs
ca keys/ca.crt
cert keys/server01.crt
key keys/server01.key
dh keys/dh1024.pem
# TLS
tls-auth keys/ta.key 0
# Keepalive
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
comp-lzo
# Write operational status to this file
status openvpn-status.log
# Drop privileges
user nobody
group nogroup
# As we dropped privileges, make sure we dont
# close/reopen tun interface amd re-read key files
# accross SIGUSR1
persist-key
persist-tun
# Our subnet
server 10.8.0.0 255.255.255.0
# Redirect all traffic to our OpenVPN server
push "redirect-gateway def1 bypass-dhcp"
# We want client to use our DNS server
push "dhcp-option DNS 10.8.0.1"
ifconfig-pool-persist ipp.txt
# If you want OpenVPN clients
# to be able to connect directly
# to each others
; client-to-client
# Use PAM authentication
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
# we dont want to use client certificate
client-cert-not-required
username-as-common-name
# enable mgmt over telnet
management localhost 1194 mgmt-pw-file
verb 3

Then, we need to copy the certificates/keys in the keys directory of /etc/openvpn:

mkdir /etc/openvpn/keys
cp /etc/openvpn/easy-rsa/2.0/keys/{ca.crt,server01.crt,server01.key,dh1024.pem,ta.key} /etc/openvpn/keys/

And, in order to be able to manage openvpn from a telnet connection, we will create a file called /etc/openvpn/mgmt-pw-file with password "password":

echo password > /etc/openvpn/mgmt-pw-file
chmod 700 /etc/openvpn/mgmt-pw-file
chown root:root /etc/openvpn/mgmt-pw-file

Everything should be setup for the server side, now we need to edht /etc/default/openvpn to make sure that this configuration get started when using the init script. So, edit that file and make sure it contains:

AUTOSTART="server"

O'rite, you can now restart openvpn service with:

# /etc/init.d/openvpn restart

Now, our server should be up and running. If anything went wrong, /var/log/daemon.log is the place to look into.

At this stage, you should also be able to connect to localhost on TCP port 1194 using telnet. You will be prompted for a password, this is the password you have set in /etc/openvpn/mgmt-pw-file.
Once you logged in, you will be able to access the management interface of openvn!

Enabling IP forwarding

As we will be routing packets, we need to enable IP forwarding. To do this create a file called /etc/sysctl.d/forwarding.conf which contains:

net.ipv4.ip_forward=1

And apply the change with:

root@ovpnrouter:~# sysctl -p /etc/sysctl.d/forwarding.conf
net.ipv4.ip_forward = 1

IPTable

At this stage, the openvpn server could handle clients, forward packets, but packets would be routed with their original private IP. To give proper network connectivity to our OpenVPN clients, we will need to NAT the traffic.
This can be done by using the following command:

root@ovpnrouter:~# iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Configuring Iptable is not in the scope of this article. You might want to refer to IPtables: how to share your internet connection.

Anyhow, let's move forward and set up a client!

Tags: , , , ,
Posted in Administration, HowTo, Networking, Softwares, System | No Comments »

How-To: Running Munin 2.0 on Debian Squeeze (6.0)

Posted by chantra on 7th January 2013

Munin 2.0 has been released and a .deb package has even been backported to Debian Squeeze!.

Version 2.0 comes with a bunch of new features and scalability improvements. This how-to will explain how to install and configure Munin 2.0 using Apache and mod-fcgid on Debian Squeeze.

Read the rest of this entry »

Tags: , , ,
Posted in Administration, HowTo, System | No Comments »

How-To: Change boot runlevel with Grub2

Posted by chantra on 14th December 2012

Linux start up behaviour is driven by the so-called runlevels. It will use the default value provided in /etc/inittab for some systems (Debian...), or /etc/init/rc-sysinit.conf or some others (Ubuntu...).

This tutorial will show how to change the runlevel used during boot by modifying Grub2 start up prompt.

Read the rest of this entry »

Tags: , ,
Posted in Administration, HowTo, System | No Comments »

How-To: Tmux a Terminal Multiplexer

Posted by chantra on 7th December 2012

As a sysadmin, most of my time is spent working on remote machines and different task. tmux is a terminal multiplexer, meaning it allows you to run multiple terminals in the same windows.

This tutorial will explain the basics features of tmux that should help you be more productive with your every day task.

Read the rest of this entry »

Tags: ,
Posted in Administration, HowTo, System | 2 Comments »

How-To: Log HAProxy messages only once

Posted by chantra on 27th January 2012

When enabling logs with HAProxy on a busy web site, hard disk space can quickly become a scarce resource.

The reason is that, most of the time, HAProxy is set to use local0 facility which tend to write logs to a bunch of files in /var/log such as messages...

Thanks to rsyslog, we will be able to canalize those logs to a more appropriate location and only once, saving a bunch of disk space.

This tutorial will go over the steps required to accomplish this set up.

Read the rest of this entry »

Tags: ,
Posted in Administration, HowTo, System | 6 Comments »

How-To: Set up a L2TP over IPSec VPN using a Radius backend — page 3

Posted by chantra on 18th June 2010

This entry is part 3 of 3 in the series How-To: Set up a L2TP over IPSec VPN using a Radius backend

Using freeradius for authentication

Here I am going to consider that the freeradius server is set up correctly, meaning that you can already authenticate your users with freeradius using radtest utility.

Read the rest of this entry »

Tags: , , , ,
Posted in Administration, HowTo, Networking, System | No Comments »

How-To: Set up a L2TP over IPSec VPN using a Radius backend — page 2

Posted by chantra on 18th June 2010

This entry is part 1 of 3 in the series How-To: Set up a L2TP over IPSec VPN using a Radius backend

XL2TP

Now, let's get on the next phase: XL2TP.

Packages Requirements

You can install xl2tp with the following command:

# apt-get install xl2tp

Read the rest of this entry »

Tags: , , , ,
Posted in Administration, HowTo, Networking, System | 1 Comment »

How-To: Set up a L2TP over IPSec VPN using a Radius backend

Posted by chantra on 18th June 2010

This entry is part 1 of 3 in the series How-To: Set up a L2TP over IPSec VPN using a Radius backend

Even though I pretty like OpenVPN, there is still some devices that might not support the TUN/TAP driver needed by OpenVPN.

Take IPhones, Android phones for instance, you need to root them in order to get that feature, assuming somebody has already cooked a ROM for your device.

L2TP is quite and old standard that allow setting up VPNs.

On the other end, it does not provide any kind of encryption mechanism, and as such, it is pretty common to get L2TP running over an IPSec link.

Read the rest of this entry »

Tags: , , , ,
Posted in Administration, HowTo, Networking, System | 1 Comment »