Archive

Posts Tagged ‘Linux’

Moving into the cloud

January 17th, 2010 No comments

Last week I setup a server in a cloud based on Xen virtualization technology. After some hours research I decided to go for the Rackspace cloud. I chose the minimal setup to start with, which is a 256MB memory configuration that comes with 10GB disk space. As stated in the specs, the 256MB plan will get you 1/64 of the CPU allocation. Which is fine to start with for a standard LAMP setup.

For now they only offer a large variety of Linux distributions. I chose Debian 5.0 Lenny, because it makes migration easier as the site is running on Debian 5.0 already. The registration process and setup of the minimal Debian install went very smoothly. In under two hours I had successfully migrated a website. So for the setup part I am totally satisfied, let’s see how the availability part will develop.

Categories: Linux Tags: , ,

vsftpd and SSL

November 28th, 2009 No comments

This howto describes how to configure vsftpd to enable SSL using so called intermediate/ chaining certificates.

Edit vsftpd.conf so that SSL is enabled:

ssl_enable=YES
rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem
force_local_data_ssl=NO
force_local_logins_ssl=NO

It is very important to construct the certificate file /usr/share/ssl/certs/vsftpd.pem with the correct certificate order. The fist Your certificate file has to be a .pem file. If you also received an Intermediate Certificate then you have to concatenate this with the Domain Certificate and your Private Key file into one single .pem file. Make sure all the information is included, without any spaces or blanks, see below.

—–BEGIN CERTIFICATE—–
 (your_domain_name.crt)
—–END CERTIFICATE KEY—–
—–BEGIN CERTIFICATE—–
 (chaining certificate 3)
—–END CERTIFICATE KEY—–
—–BEGIN CERTIFICATE—–
 (chaining certificate 2)
—–END CERTIFICATE KEY—–
—–BEGIN CERTIFICATE—–
 (chaining certificate 1)
—–END CERTIFICATE KEY—–
—–BEGIN RSA PRIVATE KEY—–
 (your_domain_name.key)
 —–END RSA PRIVATE KEY—–

This is how to check a SSL enabled FTP service (FTP Secure). See the result below:

$ lftp -u username localhost -e "debug;set ftp:ssl-protect-data true;ls;exit"
Password:
—- Connecting to ftp.student.vu.nl (130.37.129.243) port 21
<— 220 Welcome to the Storage FTP service.
—> FEAT
<— 211-Features:
<—  AUTH SSL
<—  AUTH TLS
<—  EPRT
<—  EPSV
<—  MDTM
<—  PASV
<—  PBSZ
<—  PROT
<—  REST STREAM
<—  SIZE
<—  TVFS
<—  UTF8
<— 211 End
—> AUTH TLS
<— 234 Proceed with negotiation.
—> OPTS UTF8 ON
Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl
 Issued by:        C=NL,O=TERENA,CN=TERENA SSL CA
 Checking against: C=NL,O=TERENA,CN=TERENA SSL CA
  Trusted
Certificate: C=NL,O=TERENA,CN=TERENA SSL CA
 Issued by:        C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
 Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
  Trusted
Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
 Issued by:        C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
  Trusted
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
  Trusted
<— 200 Always in UTF8 mode.
—> USER xxx330
<— 331 Please specify the password.
—> PASS XXXX
<— 230 Login successful.      
—> PWD
<— 257 "/"
—> PBSZ 0
<— 200 PBSZ set to 0.
—> PROT P
<— 200 PROT now Private.
—> PROT P
<— 200 PROT now Private.
—> PASV
<— 227 Entering Passive Mode (130,37,129,243,196,139).
—- Connecting data socket to (130.37.129.243) port 50315
—- Data connection established
—> LIST
<— 150 Here comes the directory listing.
Certificate: C=NL,O=Vereniging VU-Windesheim,OU=UC-IT,CN=ftp.student.vu.nl
 Issued by:        C=NL,O=TERENA,CN=TERENA SSL CA
 Checking against: C=NL,O=TERENA,CN=TERENA SSL CA
  Trusted
Certificate: C=NL,O=TERENA,CN=TERENA SSL CA
 Issued by:        C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
 Checking against: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
  Trusted
Certificate: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
 Issued by:        C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
 Checking against: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
  Trusted
Certificate: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
 Issued by: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
  Trusted
—- Got EOF on data connection
—- Closing data socket
drwxrwsr-x    3 72745    513          4096 Oct 23 14:28 public_html
<— 226 Directory send OK.
—> QUIT
—- Closing control socket
$
Categories: Blog Tags: , ,

License to rdesktop

November 3rd, 2009 1 comment

Today I recieved a strange message when I tried to open a RDP connection.

$ rdesktop windows.server.local
Autoselected keyboard map en-us
disconnect: No valid license available.

To resolve this issue you need to add the client hostname.

$ rdesktop -n hostname windows.server.local
Autoselected keyboard map en-us
WARNING: Remote desktop does not support colour depth 24; falling back to 16

This happens with rdeskop version 1.6.0 on Fedora 11 (rdesktop-1.6.0-4.fc11.x86_64).

Categories: Linux Tags: ,

WP add media problem

October 9th, 2009 No comments

When using WordPress version 2.5.1 (Debian Lenny package) it is not possible to add/upload media using the “Add media” button in the editor. If you click on Add an image, a new window appears where you should have the option buttons “Browse” and “Upload”, but they’re gone. What’s left is a “Choose files to upload” button that won’t do anything.

I have experienced this problem when using Mozilla Firefox 3.0.14 on Linux with the Shockwave Flash add-on enabled.

Workaround: When this add-on is disabled the add media problem will not occur. To disable the add-on, open Firefox and go to ‘Tools’ -> ‘Add-ons’ and select disable Shockwave Flash.

Categories: Linux Tags: ,

Home phone by Asterisk

September 1st, 2009 1 comment

Last week I’ve spend some time doing an Asterisk PBX setup at home. Because I like the technique and my girlfriend likes to use the phone I decided to build my own PBX (Private Branch Exchange). In other words a telephone exchange. So doing some research I figured out what the requirements where and came up with the following components:
- a SIP provider
- a SIP compliant phone
- Asterisk PBX software
- an Internet connected Linux server running 24/7

As for the SIP provider I chose the Budgetphone company because they support Asterisk and you get a local area number on which you can be called.

On my search for a suitable phone selected the Siemens Gigaset A580 IP. The main reasons I chose this phone where:
- it’s a hybrid phone so you can use POTS and or VOIP
- it’s energy efficient by using multiple energy-saving technologies
- it’s in a affordable price range

The installation of Asterisk was a piece of cake. Being a very happy user of Debian Linux, I installed the pre-compiled package from the Debian repository by executing the following command:

# apt-get install asterisk asterisk-sounds-main

In my case the Asterisk server has a public ip-address, and the phone base station is located in private ip space behind a NAT router.

Below you’ll find the Asterisk configuration. This configuration is known to work on Asterisk version 1.4.21.2~dfsg-3. In my case all configuration files reside in ‘/etc/asterisk/’.

sip.conf:

[general]
context=default
subscribemwi=yes
allowoverlap=no
bindport=5060
bindaddr=0.0.0.0
srvlookup=yes
disallow=all           
allow=alaw             
allow=ulaw             
allow=g726
allow=ilbc
allow=gsm
language=us
dtmfmode = auto

register => 31123456789@sip1.budgetphone.nl:***:31123456789@sip1.budgetphone.nl/101

[31123456789]
type=friend
context=from-budgetphone
host=sip1.budgetphone.nl
fromuser=31123456789
fromdomain=sip1.budgetphone.nl
username=31123456789
insecure=very
secret=***
qualify=yes
port=5060

[phone]
type=friend
context=internal
host=dynamic
nat=yes
callerid="Home phone"
canreinvite=no
qualify=yes
secret=password
mailbox=1001

extensions.conf:

[general]
static=yes
writeprotect=no
clearglobalvars=no

[globals]
INT1=SIP/phone
OUTBOUNDTRUNK=SIP/31123456789

[from-budgetphone]
exten => 101,1,Dial(${INT1},28)
exten => 101,n,GotoIf($["${DIALSTATUS}" = "BUSY"]?busy:unavail)
exten => 101,n(unavail),VoiceMail(1001@default,u)
exten => 101,n,Hangup()
exten => 101,n(busy),VoiceMail(1001@default,b)
exten => 101,n,Hangup()

[internal]
; internal number
exten => 1001,1,Dail(${INT1})
; voicemail number
exten => 700,1,VoiceMailMain()
; external numbers
exten => _XXXX.,1,Set(CALLERID(all)=31123456789)
exten => _XXXX.,2,Dial(${OUTBOUNDTRUNK}/${EXTEN})
exten => _XXXX.,3,Hangup()

voicemail.conf

[general]
format=wav49|gsm|wav
serveremail=asterisk
attach=yes
skipms=3000
maxsilence=10
silencethreshold=128
maxlogins=3
emaildateformat=%A, %B %d, %Y at %r
sendvoicemail=yes

[zonemessages]
eastern=America/New_York|’vm-received’ Q ‘digits/at’ IMp
central=America/Chicago|’vm-received’ Q ‘digits/at’ IMp
central24=America/Chicago|’vm-received’ q ‘digits/at’ H N ‘hours’
military=Zulu|’vm-received’ q ‘digits/at’ H N ‘hours’ ‘phonetic/z_p’
european=Europe/Copenhagen|’vm-received’ a d b ‘digits/at’ HM

[default]
1001 => 1234,Your name,user@domain.net,,tz=european

When done editing those files, you need to connect to the Asterisk CLI (Command Line Interface) by using the following command:

# asterisk -r

Set the verbosity level to 10:

*CLI> core set verbose 10

To reload the new configuration issue:

*CLI> reload

To see if the SIP services have registered succesfully issue:

*CLI> sip show peers

I needed to configure the next fields in the base station configuration to get the phone registered with Asterisk. Go to ’settings’ -> ‘telephony’ -> ‘connections’ -> ‘edit’ -> ’show advanced settings’.
- Authentication Name: phone
- Authentication password: *******
- Username: phone

- Domain: local
- Proxy server address: Asterisk server ip
- Registrar server: Asterisk server ip

To make the MWI (Message Wait Indicator) work on the handset you need to follow the next steps:
Web browse to the Siemens phone web interface, go to ’settings’ -> ‘telephony’ -> ‘Network Mailbox’. For the connection you want MWI with, enter the voicemail access number into the ‘Call Number’ box, in my case 1001 and tick the ‘Active’ box. This will make the Siemens phone subscribe to the mailbox status.

Have fun!

Categories: Linux Tags: ,

eToken, Personal certificate and the Mozilla suite

August 26th, 2009 No comments

Recently I have a personal certificate also known as a Digital ID on a smart card (Aladdin eToken) to access a secure web service. While installing the certificate I noticed it is also possible to use it to digitally sign and encrypt email with the same certificate, so I fired up Thunderbird and added the PCKS#11 security device to configure signing using S/MIME. See the steps below.

“PKCS#11 is one of the family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It defines a platform-independent API to cryptographic tokens, such as Hardware Security Modules (HSM) and smart cards.” (Source: http://en.wikipedia.org/wiki/PKCS11)

I assume you already have installed the eToken software. In case you haven’t, take a look at this article I wrote earlier.

Open Thunderbird and go to Preferences -> Advanced -> Encryption -> Security Devices

Click on “Load” and enter a Module name or choose the default like I did, which is “New PKCS#11 Module” and browse for the ‘libeTPkcs11.so’ library. This file probably sits in ‘/usr/lib’ or ‘/usr/lib64′. Be sure to pick the right one, because you need the 64bit version if you’re using 64bit Firefox.

Open Account Settings -> Security

Select the certificate on your smart card you like to use.

Thunderbird and Firefox are not bundled with the needed CA’s to support GlobalSign PersonalSign Class 2 out-of-the-box. You have to Import the GlobalSign Primary Class 2 CA (http://secure.globalsign.net/cacert/PrimClass2.crt) and GlobalSign PersonalSign Class 2 CA (http://secure.globalsign.net/cacert/PersonalSignClass2.crt) to make it work in Thunderbird, otherwise you’ll notice you’re not able to send digitally signed email.

Categories: Blog Tags: , , ,

eToken and Linux

July 22nd, 2009 1 comment

To make the eToken PKI 5.0 client work on my 64bit Fedora 11 workstation with the 32bit version of the Aladdin eToken middle ware I had to install the following packages: hal-libs.i586, libusb.i586, openct.i586, pcsc-lite-openct.i586, pcsc-lite-libs.i586, pcsc-lite.i586 and dependencies.

# rpm -ivh pkiclient-5.00.28-0.i386.rpm
Preparing…                ########################################### [100%]
   1:pkiclient              ########################################### [100%]
Adding eToken security provider….done.
Starting PC/SC smart card daemon (pcscd): [  OK  ]
PKI Client installation completed.
#

If you don’t install the 32bit version of the packages, the installation of the pkiclient software will result in a error. The pkiclient software does need one of the following bundle dirs ‘/usr/lib/readers’ or ‘/usr/lib/pcsc/drivers’, or else it will exit with the error message below.

# rpm -ivh pkiclient-5.00.28-0.i386.rpm
Preparing…                ########################################### [100%]
Error: cannot find pcsc-lite bundles directory.
error: %pre(pkiclient-5.00.28-0.i386) scriptlet failed, exit status 11
error:   install: %pre scriptlet failed (2), skipping pkiclient-5.00.28-0
#

Do not try to add the eToken as a security device in Firefox or Thunderbird as you’re probably running the 64bit version of the applications. The 64bit applications refuse to load the 32bit ‘libeTPkcs11.so’, you’ll be prompted with a message “Unable to add module”.
I have requested the 64bit version of the middle ware, which should make things easier.

Categories: Linux Tags: ,

Wireless fix on Amilo running Ubuntu

June 11th, 2009 4 comments

Recently I had to use a laptop for a course I was doing. This Fujisu Siemens Amilo Li 2727 laptop came with Windows Vista pre-installed. Since the installed OS didn’t matter for the course I installed the latest Ubuntu which is 9.04 (Jaunty). All worked well except for the wireless card (Atheros Communications Inc. AR242x 802.11abg Wireless PCI Express Adapter (rev 04)). The ath5k driver for the wireless card is being correctly initialised, as you can see:

[   12.170260] ath5k_pci 0000:08:00.0: PCI INT A -> GSI 18 (level, low) -> IRQ 18
[   12.170274] ath5k_pci 0000:08:00.0: setting latency timer to 64
[   12.170439] ath5k_pci 0000:08:00.0: registered as ‘phy0′
[   12.355693] ath5k phy0: Atheros AR2425 chip found (MAC: 0xe2, PHY: 0×70)
[  264.864848] ath5k phy0: noise floor calibration timeout (2442MHz)

It appears that the wireless card is enabled but not activated, so you’ll need to turn it on. Using Windows you use the Fn-F1 key combination to activate the wireless card, but this doesn’t work with Linux. The easiest way to get wireless going is by activating a kernel module called acer_wmi. As soon as you execute the following line you’ll notice the wireless led will light up. There are other ways, but this is by far the most easy and elegant way to do it.

$ sudo modprobe acer_wmi

The wireless card is now active! Wait a moment and you’ll see wireless networks appear in the NetworkManager if you’re in range. Just for the record I am using Ubuntu kernel 2.6.28-11-generic at the moment of writing.

To make this solution last on a reboot, you’ll have to add the module name ‘acer_wmi’ to ‘/etc/modules’.

$ sudo echo "acer_wmi" >> /etc/modules
Categories: Linux Tags: , ,