Ubuntu on Dell Laptop

I was having problem with Ubuntu installed on my Dell Lattitude laptop. It was freezing randomly and unusable. Found a way to make it stable. Edit GRUB Kernel parameter and add this line: intel_idle.max_cstate=1 i915.enable_dc=0

Ubuntu DNS Stub Listener #Disable

During setting up PiHole, it requires to listen on DNS (53/TCP, 53/UDP) on the host. Ubuntu version that I am running on (20.04) by default listens on port 53 because it runs as DNS Stub Listener.

PiHole will give errors about Binding error

To disable Ubuntu running as DNS Stub Listener, do the followings:

> sudo vi /etc/systemd/resolved.conf 

un-comment #DNSStubListener=yes 
change it to DNSStubListener=no

> sudo service systemd-resolved restart
> sudo systemctl disable systemd-resolved.service
> sudo systemctl stop systemd-resolved
> sudo mv /etc/resolv.conf /etc/resolv.conf.old
> sudo shutdown -h now -r

Ubuntu 18.04 + Docker Setup

I am setting up a new Docker Engine running on Ubuntu 18.04
During the Ubuntu installation, I selected Docker Engine as part of the deployment setup. By default the Docker Engine Service is run by Snap.

My environment uses web proxy to hit the Internet and internal DNS servers only are allowed. Docker Daemon or Docker Containers must use web proxy and internal DNS to hit the Internet.

To setup Ubuntu with static IP, pointing to the right DNS, netplan must be created
create a YAML file in the /etc/netplan/

> sudo vi /etc/netplan/99-local-init.yaml

network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 10.0.0.1/24
gateway4: 10.0.0.254
nameservers:
search: [domainlocal.tld]
addresses: [10.0.0.2, 10.0.03]

ps: addresses: [10.0.0.2, 10.0.0.3] are the local DNS servers

To get Docker Engine to use web proxy and local DNS servers, Drop-In configuration files must be created. Check the Docker Engine service name under /etc/systemd/system/ folder. My Ubuntu 18.04 installation has got snap.docker.dockerd.service name

Create a folder with the same name of the service name and add ".d" at the end of the folder name

> sudo mkdir -p /etc/systemd/system/snap.docker.dockerd.service.d 

Then you can create as many as .conf files in that folder

To create web proxy configuration

> sudo vi /etc/systemd/system/snap.docker.dockerd.service.d/proxy.conf

[Service]
Environment="HTTP_PROXY=http://myproxy.domainlocal.tld:8080/" "HTTPS_PROXY=http://myproxy.domainlocal.tld:8080/" "NO_PROXY=localhost,*.domainlocal.tld"

To create DNS setting

> sudo vi /etc/systemd/system/snap.docker.dockerd.service.d/dns.conf

[Service]
ExecStart=
ExecStart=/usr/bin/snap run docker.dockerd --dns 10.0.0.2 --dns 10.0.0.3 --dns-search domainlocal.tld

ps: ExecStart= must be defined in the first line to reset that flag

The daemon must be restarted

> sudo systemtcl daemon-reload
> sudo systemctl restart snap.docker.dockerd

To build / run process within the Docker Container, pass the flags:

> sudo docker build --build-arg http_proxy=http://myproxy.domainlocal.tld:8080 --build-arg https_proxy=http://myproxy.domainlocal.tld:8080 -t dockerhubname/imangename .

Have fun!

SSH Login Notification with SSMTP

I have my box to send email notification for every successful SSH login in the past here.
It requires sendmail to be installed, which is too much I think just to send email out from the box.

I found a lighter way to do it, using ssmtp package:

edit/create the file:
> sudo vi /etc/ssh/sshrc

DATE=`date "+%d.%m.%Y--%Hh%Mm"`
IP=`echo $SSH_CONNECTION | awk '{print $1}'`
REVERSE=`dig -x $IP +short`

echo "To: laurence.lau@domain.tld" > /tmp/mail.content
echo "From: Beaver <beaver@domain.tld>" >> /tmp/mail.content
echo "Subject: SSH Login Succcessful" >> /tmp/mail.content
echo "" >> /tmp/mail.content
echo "$DATE, user $USER just logged in from $IP ($REVERSE)" >> /tmp/mail.content
ssmtp laurence.lau@domain.tld < /tmp/mail.content &

edit the file:
> sudo vi /etc/ssmtp/ssmtp.conf

mailhub=smtprelay.domain.tld:25

Ubuntu CIFS Mount to Windows

To support SMB2 mount from Ubuntu to Windows, edit the fstab file and include this:

//windows.domain.local/share/folder /mount/point cifs credentials=/root/.credentials,vers=2.0,iocharset=utf8,sec=ntlm,dir_mode=0770,uid=33,gid=33 0 0

Bitbucket Installation

I have a need to create code repository locally. I don't want to use code repo in the cloud. Bitbucket is the winner!

#1 - Install Ubuntu 16.10
Download from ubuntu.com, get the latest ISO file, boot and install.
During the installation wizard, make sure PostgreSQL is selected and installed.

#2 - Configure PostgreSQL
Login to ubuntu as the standard user

> sudo -u postgres psql postgres

\password mynewpassword
\q

>

#3 - Create PostgreSQL Database and Role

> sudo -u postgres
CREATE ROLE bitbucketuser WITH LOGIN PASSWORD 'mypassword' VALID UNTIL 'infinity';

CREATE DATABASE bitbucket WITH ENCODING='UTF8' OWNER=bitbucketuser CONNECTION LIMIT=-1;

\q

>

#4 - Install Bitbucket
Download the bitbucket installer from atlassian.com
Change the file permission to execute +x
Run it

#5 - Configure Bitbucket
During the configuration wizard, when asked for database, specify localhost, bitbucket as the database, bitbuckeruser and the user and 'mypassword' as the password

Ubuntu File Finders

To find the Disk Usage:

#> sudo du -sx /* 2> /dev/null | sort -n

To deep dive

#> sudo du -sx /var/* 2> /dev/null | sort -n

To find files bigger than something

#> sudo find / -size +10M -ls

Dynamic DNS for Ubuntu

I am using opendns.com to protect my network at home. My IP isn't static, so I need a way to update opendns.com with my IP if that changes.

I am running ubuntu, so let's start with installing ddclient

sudo apt-get install ddclient

and then edit ddclient.conf

sudo vi /etc/ddclient.conf

I use the following config

use=web, web=myip.dnsomatic.com
ssl=yes
server=updates.opendns.com
protocol=dyndns2
login=<open-dns-username>
password=<open-dns-password>
<open-dns-label>

Ubuntu Apt-Get Proxy

To have Ubuntu apt-get connection proxies via your proxy, do the following

sudo vi /etc/apt/apt.conf

Add the following line:

Acquire::http::Proxy "http://yourproxy.tld:port";

save and fire away

Fail2ban BAN-Forever!

OK, enough is enough. As per my previous blog about setting up fail2ban, there was this one persistent idiot who kept trying to break in my network. Due to fail2ban default setting, which un-bans previously banned IP, he could keep trying and trying and trying...

So, I came across this blog and set my systems as per following:

Modify fail2ban config:

vi /etc/fail2ban/fail2ban.conf

Make sure

log level = 3
logtarget = /var/log/fail2ban.log

Modify Logrotate config:

vi /etc/logrotate.d/fail2ban

Make sure

notifempty
monthly
rotate 13
missingok
postrotate
fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
endscript
# If fail2ban runs as non-root it still needs to have write access
# to logfiles.
# create 640 fail2ban adm
create 640 root adm

Add Repeat Offender rule:

vi /etc/fail2ban/jail.local

Add the following to the bottom of the line. This sets any IP that has been failing 10 times for a period of 365 days will be banned forever

#
# Repeated Offender to be banned forever
# if has been baned 10 times for 1 year
#
[repeatoffender]

enabled  = true
filter   = repeatoffender
action   = repeatoffender[name=repeatoffender]
           sendmail-whois[name=Repeat-Offender, dest=me@domain.me, sender=fail2ban@domain.me]
logpath  = /var/log/fail2ban*
maxretry = 10
findtime = 31536000
bantime  = -1

Create fail2ban Filter:

vi /etc/fail2ban/filter.d/repeatoffender.conf

Add the following to the file:

# Fail2ban configuration file
# this filter monitors the fail2ban log file and permanently bans the IP
#
# only works with iptables

[Definition]
_jailname = repeatoffender
failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+
ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]+Ban\s+

Create fail2ban Action:

vi /etc/fail2ban/action.d/repeatoffender.conf

Add the following to the file:

# Fail2Ban configuration File
#
#

[INCLUDES]

before = iptables-blocktype.conf

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of fail2ban
# Values: CMD

actionstart = iptables -N fail2ban-
              iptables -A fail2ban- -j RETURN
              iptables -I  -p  -j fail2ban-
              # Establish chain and blocks for saved IPs
              iptables -N fail2ban-ip-blocklist
              iptables -A fail2ban-ip-blocklist -j RETURN
              iptables -I  -p  -j fail2ban-ip-blocklist 
              cat /etc/fail2ban/ip.blocklist. |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-ip-blocklist 1 -s $IP -j REJECT --reject-with icmp-port-unreachable; done

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D  -p  -j fail2ban-
             iptables -F fail2ban-
             iptables -X fail2ban-
             # Remove chain and blocks for saved IPs to prevent duplicates on service restart
             iptables -D  -p  -j fail2ban-ip-blocklist
             iptables -F fail2ban-ip-blocklist
             iptables -X fail2ban-ip-blocklist

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L  | grep -q 'fail2ban-[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = VERIFY="*"
            ADD="        # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): Perma-Banned"
            FILE=/etc/fail2ban/ip.blocklist.
            grep -q "$VERIFY" "$FILE" || iptables -I fail2ban-  1 -s  -j DROP
            grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = # Do nothing becasuse their IP is in the blocklist file

# To manually unban from the ip blocklist file run this command:
# Be warned that if the ip is in log rotated files it must be whitelisted
#
# sed -i '/^/d' /etc/fail2ban/ip.blocklist.repeatoffender
#

[Init]

# Default name of the chain
#
name = default

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

that's it. to check the iptables, to show which IP is blocked there, just run:

iptables -L -n

OpenVPN + VPN Gate + Squid

OK, so I need a VPN tunnel for my Internet connection at home. I don't want client-to-site VPN as it will isolate all my traffic (e.g. not only HTTP/S) to the Internet. I want only my HTTP/S traffic to go to the VPN tunnel.


So I setup Ubuntu server with OpenVPN client and Squid Proxy. This server has got 2 vNICs. One is facing the Internet and the other want is facing the internal network. The goal is to have this server establishes OpenVPN connection to VPN Gate from its primary interface and listen to the proxy connection on the secondary interface.


This way, I can use my browser to use Squid proxy and my Internet traffic is going through the VPN tunnel


Install OpenVPN client
Install OpenVPN with the following command


#> sudo apt-get install openvpn curl unzip dnsmasq-base wget


Download VPN Gate .ovpn file
Go to http://www.vpngate.net and download OpenVPN Config File. This can be TCP or UDP. Save this file to /etc/openvpn/ and change its extension from .ovpn to be .conf




Install Squid
Install Squid3 with the following command


#> sudo apt-get install squid3


Modify Squid.Conf
This modification is to set Squid to use google DNS servers for its resolution instead of using OpenVPN Client auto configuration


#> sudo vi /etc/squid3/squid.conf


find dns_nameservers and change it to:
dns_nameservers 8.8.8.8 8.8.4.4


Restart Squid
Restart Squid daemon to make the change


#> sudo service squid3 restart


Launch OpenVPN Client
Start VPN client connection to VPN Gate using the file downloaded earlier


#> sudo openvpn /etc/openvpn/vpngate.conf


The reason changing the .ovpn to .conf, is because by default if you put any file in the /etc/openvpn/ folder with .conf, it will be treated as configuration file by OpenVPN and it will launch itself every time the server is restarted


Browser Proxy
Now you can set your browser proxy to us the internal IP address of this server and port number 3128 as the proxy server and the traffic will be tunnelled to the VPN tunnel


Enjoy!

Google Authenticator for Ubuntu

I am running SSH on Ubuntu and publish this service on my firewall so that I can remotely login. I used fail2ban to block IP address that is trying to brute-force his way in to my SSH server. I also setup notification so that I get email notification whenever someone is either successful login or not.

I think I need more than that, so today decided to dual-factor my SSH entrance :)

Running Ubuntu, I just need to run:

sudo apt-get install libpam-google-authenticator

This will install the lib for google authenticator
Then login to to system as the user who I want to be dual-factor authenticated, I run:

google-authenticator

this will prompt me a lot of question and I answered accordingly.
this also give me a QR code that I can add to my Google Authenticator apps.

Next is to edit /etc/pam.d/sshd and add the following line:

auth required pam_google_authenticator.so

Next is to edit /etc/ssh/sshd_config, and find the following line and change it:

ChallengeResponseAuthentication yes

Next is to restart the SSH service:

sudo service ssh restart

Then test it!!

Git Server Part #2

I found out today that WebDAV is not the best way to setup Git server. Instead we are better of using Git-HTTP-Backend or "Smart" HTTP

Also we are going to install gitweb too, to enable us viewing project and repositories using the web browser.

To install gitweb:

sudo apt-get install gitweb

Install fcgid Apache2 Mod:

sudo apt-get install libapache2-mod-fcgid

Enable all Apache2 modules required:

sudo a2enmod env alias fcgid

Restart Apache2:

sudo service apache2 restart

From the previous blog, I have Git website setup already, so I need to modify my site.conf file.

Modification #1 - Give Access to git-http-backend 

<Directory /usr/lib/git-core>
Require all granted
Options +ExecCGI +FollowSymLinks
</Directory>

Modification #2 - Setup Alias for Gitweb

Alias /gitweb /usr/share/gitweb

<Directory /usr/share/gitweb>
Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>

Modification #3 - Add Script Alias

ScriptAliasMatch "(?x)^/(.*/(HEAD | info/refs | objects/(info/[^/]+ | [0-9a-f]{2}/[0-9a-f]{38} | pack/pack-[0-9a-f]{40}.(pack|idx)) | git-(upload|receive)-pack))$" /usr/lib/git-core/git-http-backend/$1

Modification #4 - Add Environment Variables

SetEnv GIT_PROJECT_ROOT /home/www/git

SetEnv GIT_HTTP_EXPORT_ALL

SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER

Next is to configure Gitweb. Edit gitweb.conf

sudo vi /etc/gitweb.conf

Change the $projectroot to the location of your project root folder

Save it

Next is to delete the gitweb.conf from /etc/apache2/conf.d/ folder

Now to access your gitweb, just point to: http://git.domain.tld/gitweb

Setting Up Git Server for Remote Repository

I have been wanting to have my own local software development repository. My development 'mode' is ON again and ready to rock-and-roll. While using Visual Studio 2013, I noticed that it natively supports Git. Looking it further, found this amazing tutorial jump start of Git on MVA.

Git is a distributed repository model, however it also supports remote repository where commits can be pushed to the central remote repository and be shared with others if needed.

I am running my own Ubuntu server and while developing on my Visual Studio 2013 Git-ing locally, I would also like to 'Sync' all the commits to the central repository. So setting up Git 'Server' on my Ubuntu server is a good idea.

Git supports multiple protocols, like SSH, Git and HTTP. I prefer the later as I might want to collaborate with other developers in the future and HTTP is the better option for that.

I have Ubuntu 14.04 LTS Running Apache 2.4.7

Install Git

So, firstly first -setting up Git on Ubuntu server by running apt-get:

apt-get install git-core

Directory Structure

Now, I am going to create the home folder for this site located in: /home/www/git, then create different path for each prod, test and dev repos. To do that:

cd /home/www
mkdir git
cd git
mkdir prod
cd prod
mkdir repo01
cd repo01
git --bare init
git update-server-info

As you can see above, I am creating the first Git repo in /home/www/git/prod/repo01 and initialise the Git bare repository. Do the same thing for each test and dev repos.

Next, let's take ownership of the file structure

cd /home/www/git
chown -R www-data.www-data .

Apache Configuration

Next is to configure Apache2 to enable WebDAV Module and setup a new site for Git:
To enable WebDAV on Apache2, run the a2enmod command:

a2enmod dav_fs

after you enable the module, you can check with a2query

a2query -m dav_fs
a2query -m dav

To create the site, do the following:

cd /etc/apache2/sites-available
vi git.domain.tld.conf

once the editor opens, use this content:

<VirtualHost *:80>
ServerAdmin info@domain.tld
ServerName git.domain.tld
ServerAlias git2.domain.tld
#Indexes + Directory Root
DirectoryIndex index.php
DocumentRoot /home/www/git/
#Log Files
ErrorLog /home/www/log/git.error.log
CustomLog /home/www/log/git.access.log combined
<Directory /home/www/git>
DAV on
Require all granted
</Directory>
</VirtualHost>

The most important line is the DocumentRoot where you points to the folder where the root of Git repository will be. The second one is DAV on for WebDAV.

At this stage there is NO authentication and authorization setup on the Apache VirtualHost and I will show you how to use Active Directory as the LDAP for authentication later. Also noted that it is running on HTTP only at this point. In the future if I would like to publish this to the Internet, I will setup a reverse-proxy with HTTPS on the Internet-facing interface.

Testing Git

To test Git, on the client side:

mkdir /home/user/test
cd /home/user/test
git init
git remote add origin http://git.domain.tld/prod/repo01
touch index.php
git add .
git commit -a -m "Testing commit"
git push origin master

have fun!

OwnCloud - Setting IT Up

I need a solution to store my files, in fact I need to have some way of synchronisation for my files across 2 or more computers. Found this owncloud solution.

Setting it up is straight forward - just follow the doco. However, by default owncloud stores its file repository in the local server where owncloud is installed. I have a windows file share and I want all my files store in the windows file share

I am running Ubuntu and install owncloud in it.

I created a shared folder in my windows server, create a user account on my windows domain, straight forward.

on my Ubuntu server, firstly, I created a hidden file that contains the username and password of the windows domain account I created earlier

> vi /path/.smbcredentials

username=myuser
password=mypassword

save this file

next, I created a mount point to which I will mount the shared folder of my windows to this Ubuntu server

> mkdir /mount/projects

then I find the group id of the user account who is running the web server, in my case it is www-data

> id www-data

uid=33(www-data) gid=33(www-data) groups=33(www-data)

next, I edit the fstab file to mount the file share

> vi /etc/fstab

and add the following line:

//server.domain.local/share /mount/projects cifs credentials=/path/.smbcredentials,iocharset=utf8,sec=ntlm,dir_mode=0770,uid=33,gid=33 0 0

then do

> mount -a

it should mount the windows shared folder to /mount/projects

now, during owncloud installation, it will ask for the data folder, you can put /mount/projects !!

Securing SSH Server with fail2ban and Email Notification

I use fail2ban to secure my SSH server, using the following guide

https://help.ubuntu.com/community/Fail2ban

this helps me to ban the IP address and notify me by email of the failed attempt
and I use the following script to notify me by email of the successful login

edit or create /etc/sshd/sshrc

DATE=`date "+%d.%m.%Y--%Hh%Mm"`
IP=`echo $SSH_CONNECTION | awk '{print $1}'`
REVERSE=`dig -x $IP +short`

echo "Subject: SSH Login Successfully" > /tmp/mail.content
echo "$DATE, user $USER just logged in from $IP ($REVERSE)" >> /tmp/mail.content 

sendmail -f "MyBox <fromemail@domain.tld>" -t "Lau, Laurence <me@domain.tld>" -s smtprelay.domain.tld < /tmp/mail.content &