Of course one might think such a technology would be difficult at best to use. Not so. The developers of Ksplice have created an incredibly easy to use system that allows the administrator to handle critical updates, normally requiring a reboot, as easily as those updates that do not require a reboot.

Getting such a system working does requiring the installation of third party software. This tutorial will walk you through installing Ksplice as well as how to go about updating a currently running kernel with the new system.

Installing Ksplice

Figure 1

To install Ksplice navigate your browser to the Ksplice Uptrack page and click on the link for your particular distribution. If you are using Ubuntu the Gdebi installer will be an option to select from (see Figure 1) . Select Open with and then make sure GDebi is selected. Click OK and the installation will commence.

During the installation a new window will open specific to Ksplice. In this window you will have to agree to a License and then click Forward. Once you have done this the installation will complete.

Using Ksplice

Figure 2

After install is finished Ksplice will automatically open up the update window (see Figure 2) and reveal to you if there are any updates for your currently running kernel. This might very well remind you of the average Linux package management front-end.

In order to install the update(s) click the Install All Updates button to take care of any updates pending.

You will also notice a new icon added to your Notification Area (see Figure 3). This Icon will not only allow you to launch the

Figure 3

Ksplice tool, it will also keep you informed if there are any updates available. Figure 3 shows the Ksplice icon with a pending update.  When your system is up to date the “!” will disappear and leave you with a clean “K” icon.

Command line

What Linux tool is complete without a command line component? Ksplice includes four command line tools for your terminal pleasure:

• uptrack-upgrade: This command will download and install the latest kernel updates available for your system.
• uptrack-install PACKAGE: Will install a specific update (Where PACKAGE is the package name to update.)
• uptrack-remove PACKAGE : Will remove a specific update (Where PACKAGE is the package name to remove).
• uptrack-show PACKAGE: Will show more detail about a specific update (Where PACKAGE is the package name).

Final thoughts

I have been using Linux (and computers) for quite some time. I never thought I would see the day when such a major update to the underlying sub-systems could be pulled off without a reboot. And not only that, it is done as simply as using a GUI interface.  But now we are looking at something special. Ksplice is only now beginning to make serious inroads into reaching that goal of 100% uptime. And now, without having to reboot after a major upgrade, that 100% number is looking closer and closer every day.

Related posts

• Yahoo Server Monitor Widget (0)
• Win Extensions for Windows (32)
• Upgrading to Wordpress 2.3 (3)
• Things to check before switching to Vista Part 1 (1)
• Monitor your website with Montastic (3)

In this article you will learn how to install everything you need to get your Gnumed front end connected to a locally hosted Gnumed backend server. I will be illustrating this on Ubuntu 9.10 with the end result being a local-only installation. Of course the necessary modifications to make this a LAN-based installation shouldn’t be difficult for you, once you have the local install up and running.

This article comes a good time because this month it was just announced that new versions of Gnumed will include both medication management and prescription handling as well it was announced (on the Gnumed Blog) that a company is working on a billing feature for inclusion in a future release of Gnumed. That is certainly good news.

But, for now, let’s get on with the server installation.

Before we continue, make sure you have a working installation of PostgreSQL up and running. For more information on this take a look at my article “Basic postgresql server setup.”

Once you have PostgreSQL up and running you are ready to go.

Installing the backend

Go do the Gnumed server download mirror page and download the gnumed-server deb file (just click on a mirror). Once that file is downloaded open up a terminal window, cd to the directory you saved the file to, and issue the command:

sudo dpkg -i gnumed-server*

which will install the server.

As soon as the server is installed you have to create the databases used by Gnumed. Fortunately the Gnumed server package includes a simple command for this. From your terminal window issue the command:

sudo gm-bootstrap_server

This command will take some time to run its course. And, in the end, it might seem like you have some errors. These errors most likely mention a password – it is safe to ignore those errors.

Configuration

There are only two configurations you have to take care of. The first is to copy the proper .conf file into the ~/.gnumed directory. The file you want to copy will be /etc/gnumed/gnumed-client.conf. Copy that with the command:

sudo cp /etc/gnumed/gnumed-client.conf ~/.gnumed

You really only need to make one change in that file. Look for this section beginning with:

[profile local GNUmed database]

host =

You want to change the host = line to reflect:

host = localhost

Now you need to make a change to a PostgreSQL file. The file in question is /etc/postgres/8.4/main/pg_hba.conf. You have to add a section to a very specific section of this file. Look for this line:

# TYPE  DATABASE    USER    CIDR-ADDRESS    METHOD

Underneath that line you need to add:

local   samegroup   +gm-logins   md5

Once you have added that, save the file, and restart PostgreSQL with the command:

sudo /etc/init.d/postgresql-8.4 restart

Log in

Now it’s time to start up Gnumed and log in to your local server. When you start you will want the following login information:

• Backend: local Gnumed database
• Username: any-doc
• Password: any-doc

Hit the OK button to begin the login process. You will have to walk through a couple of windows (such as the language mismatch settings). But after that you will up and running with your own Gnumed backend server.

Final thoughts

It would behoove anyone medical practitioner looking to cut some corners (and wanting to take care of their own tech) to deploy Gnumed. And with the upcoming features, Gnumed is an outstanding solution.

Related posts

• Let your medical practice go open source with Gnumed (8)
• Basic postgresql server setup (5)

There are a hundred and one thousand things that can go wrong with any web server installation. From a fresh installation to an installation that has been running for a long time, you never know when something is going to cause your web server to go astray. When it does happen, it’s always nice to know that, usually, Occam’s Razor applies.

In this tutorial you will find some advice that will help you through some of the more common issues that can pop up with an Apache web server.

Is your server actually running?

Believe it or not, this has happened to plenty of administrators. You take the server down, do some maintenance, and when you go to check out the server you’re getting errors. The first thing you do, naturally, is check out that /etc/apache2/apache.conf file to make sure your syntax is correct. But it’s perfect! What’s up? The first thing you might want to check is to make sure the server is running. But you don’t want to just issue the command to start the server or reload the server. Instead, issue the command:

sudo /etc/init.d/apache2 status

Which should return something like:

* apache is running (pid 9751).

If not, start the server with either:

sudo /etc/init.d/apache2 start

or

sudo apache2ctl start

NOTE: If you are using a distribution like Fedora, SuSE, or Mandriva you will need to first su to the root user and issue the above commands WITHOUT using sudo.

It’s not running and it won’t start

Did you just make changes to your Apache configuration file? Are the changes correct? If you’re not sure, you can use the apache2ctl command to check the syntax of your configuration file. This is done with the command:

sudo apache2ctl configtext

The above command should report:

Syntax OK

If you don’t get an OK, you will get information that points to the errors in your configuration file.

Apache wants to download .php files!

This is another common issue. When you add a new tool on your web server (such as Drupal), if your configuration file is set up properly, any .php file might not be displayed. Instead any attempt to view a .php file will instead have your browser trying to download the file. Why is this? Apache must be informed that certain extensions are to be displayed, not downloaded. This is done from within the Apache configuration file. Open up that file (in the Ubuntu server it will be /etc/apache2/apache2.conf) and first look for the following line:

DirectoryIndex index.html

If that file doesn’t include index.php nearly all sites that use php will be rendered useless.

The second line to look for is:

AddHandler application/x-httpd-php .php

If you find this line, and it is commented out, make sure you uncomment it by removing the “#” character. If it is not there add it to the bottom of the configuration file.

And, as always, when you make a change to the configuration file, restart Apache.

Know where to look for problems

Finally, it is crucial that you know where to first turn when the above doesn’t help you out. Any time I have an issue with Apache where Occam’s Razor does not apply, the first place I turn is the log files.

If you look in /var/log/apache2 you will find, at least, the following files:

• access.log: This keeps track of any connection made to your server.
• error.log: This keeps track of any errors that occur with Apache.
• other_vhosts_access.log: This is where virtual hosts will log when the virtual host has not been prescribed its own log file.

Of course, as your site evolves so will your available log files. Regardless of what you find in /var/log/apache2, that is where you should always first turn when you have problems. Even before you google.

Final thoughts

Now you should be able to handle some of the more common issues with the Apache server. And if your problem isn’t common, you also know where to turn to find clues that will lead you down the right path to correction.

Related posts

• Portable Web Server (8)
• Local Apache Web Server Wampserver (3)
• How to: Install a LAMP server (7)
• Host your own webserver (18)
• Wordpress template tags you should know (4)

And what’s best is you don’t have to jump through a bunch of hoops to get munin up and running. In this tutorial you will see how to get your Munin server up and running and monitoring your system and a sample client configuration that will monitor a client node. As you might expect, I will continue to build upon the Ubuntu Server series and install Munin on a Ubuntu 9.04 installation. NOTE: This same installation will work on Ubuntu 9.10 as well.Server installation/configuration

Installing Munin on the Ubunter server is simple. Open up a terminal window (or log into your server console) and issue the command:

sudo apt-get install munin

The above command will also install munin-node which is the client-side software. This is fine, so let it happen. Upon installation Munin will install the configuration files in /etc/munin, the executable in /etc/init.d/, and the web files in /var/www/munin.

The first thing that will need to be done is to configure your server correctly. Open up the /etc/munin/munin.conf file and look for this section:

dbdir     /var/lib/munin
htmldir    /var/www/munin/
logdir     /var/log/munin
rundir     /var/run/munin

Out of the box, this will work just fine.  But if you have any other needs that would dictate any of these directives change, change them here.

The next section to look for is this:

# a simple host tree
[localhost.localdomain]
address 127.0.0.1
use_node_name yes

What the above section does is monitor the server Munin is installed on. This configuration only needs to change if you have specific requirements. Also, if you need to add a client (node), this is where you add it.

In order to instruct Munin to monitor a remote machine you need to add a new host tree. Say, for instance, you want to monitor a machine on the IP addres 192.168.1.150. To do this you would add:

[MACHINE NAME]
address 192.168.1.150
use_node_name yes

Where MACHINE NAME is a name to indicate the job (or user, or department, etc) of the machine.

Once you have these configurations and save the file. Now to move on to the /etc/munin/munin-node.conf file. There is only one configuration you would need to add in order to monitor nodes. Look for this line:

allow ^127\.0\.0\.1$

Beneath this line you will want to add (in order to enable our new node):

allow ^192\.168\.1\.1$

Save this file and restart the Munin server with the command:

/etc/init.d/munin restart

Installing for client

All you need to do for your client is to install the munin-node package. To do this issue the command:

sudo apt-get install munin-node

On the client machine. Now start munin-node with the command:

sudo /etc/init.d/munin-node start

Munin will begin to monitor this client now.

The graphs

When all is up and running, point your browser to http://ADDRESS_TO_SERVER/munin/

Figure 1

Where ADDRESS_TO_SERVER is the actual address of the server. Very shortly after you install Munin you may only see a listing of the nodes being watched (see Figure 1). This is okay, it will take some time before data is actually collected.

After a while you will notice data collected and graphs developing. If you click on the localhost.localdomain link you will see data beginning to collect (see Figure 2).

Figure 2

Final thoughts

Munin is a very powerful tool that allows you to gather crucial data about your systems and networks. Now that you have Munin installed and running you can begin to extend the server by adding more and more clients as well as plugins. You will quickly find Munin to be a very valuable tool for data analysis on your various systems and networks.

Related posts

• How to install Nagios on Ubuntu server (10)
• With Ubuntu 9.10 Arrives Wubi 9.10 (2)
• Why you should switch your parents pc to ubuntu (20)
• Which Ubuntu Derivative Is Right For You? (16)
• What makes Ubuntu so user friendly? (47)

One would think that an easy task. It actually is, once you know how it is done.  And in this article I am going to show you two different ways of making the connection to your Samba server. You will need to have a working knowledge of how the Samba server is set up as well as a username/password configured on the Samba server. There are also a few steps to take on the desktop for one certain method of connection.

The two methods I will describe are: Using GNOME’s Connect To Server dialog and the command line. The latter will be used to show you how to set up auto mounting for Samba.

The graphical method

Figure 1

If you take a look at the GNOME Places menu you will see an entry labeled “Connect to server…”. This is what you want to use in order to connect to your Samba server. When you click on that a new window will open. From the Service type drop-down select “Windows share” (see Figure 1).

When you select that entry some of the configuration options will change. As you can see (in Figure 1), I have entered the necessary options to connect to a Samba server on my internal network. You will want to replace the information so it reflects your needs. The only tricky bit of information might be the Folder entry. If you are connecting to the root directory on the share you will not need to enter anything there. Say, for instance, you share is /media/samba/user. If you want to connect to that directory leave the Folder entry blank. Say, however, you want to connect directly to a sub-folder within that share – you can enter that folder here. This, of course, isn’t needed because you can always traverse the sub-directories with simple navigation. You can also choose to add a bookmark instantly, from in this window.

Figure 2

Once you have all of the information entered click Connect and you will be greeted with a new window that requires you to enter a password. Also, if you do not supply a Domain name in the previous window, you will be required to enter it here.

You can also set this up to remember your password either until you logout or until, well, forever. Once you have entered the password/domain click the Connect button and a new Nautilus window will open inside of your Samba Share.

Using the command line

Now we’re going to use the command line to accomplish a similar goal. The biggest difference is that we are going to actually mount the Samba share into another directory, very much the same way we would mount a second hard drive.

There are a few pieces to put together before we actually take care of the mounting. First let’s create a directory that the Samba share will be mounted to. So from the terminal window issue the following command:

sudo mkdir /media/samba

Now let’s make sure our users can read/write to this directory with the command:

sudo chmod -R u+rw /media/samba

Okay now let’s make sure we can see the Samba shares from the command line. We’ll do that with the smbclient command like so:

smbclient -L //SAMBA_SERVER_ADDRESS

Where SAMBA_SERVER_ADDRESS is the actual IP address of the Samba server.

Figure 3

You will be prompted for your username and password. If you get an error it could be that the usernames don’t match on each end. If that’s the case you could add the -U switch to the command like so:

smbclient –user=jlwallen -L  //SAMBA_SERVER_ADDRESS

You should see output similar to that shown in Figure 3.

Now it’s time to try to mount the Samba share to the /media/samba directory. To do this issue the command:

sudo mount -t cifs //SAMBA_SERVER_ADDRESS/SHARE -o username=USERNAME /media/samba/

Where:

• SAMBA_SERVER_ADDRESS is the IP address of the Samba server.
• SHARE is the share name.
• USERNAME is the username to connect with.

If that works you can now make this an automated mount by adding the following line to your /etc/fstab file:

//SAMBA_SERVER_ADDRESS/SHARE     /media/samba    cifs  credentials=/etc/samba/user.cred 0 0

Where SAMBA_SERVER_ADDRESS is the IP address of the Samba server and SHARE is the share name.

Notice the user.cred file. This is one last thing we need to create. With your text editor create this file and place into it:

username=USER

password=PASSWORD

Where USER is the username to log in with and PASSWORD is the password to use for authentication. The final step is the give this new file the proper permissions with the command:

sudo chmod 600 /etc/samba/user.cred

You can ensure this works by issuing the command mount -a which should mount your Samba share.

Final thoughts

You should now have an auto-mounting Samba share – or the ability to easily connect your GNOME desktop to a Samba share. Samba is a very powerful tool that not only can share files with Windows machines, but with Linux machines as well.

Related posts

• Set up your new Ubuntu Server as a Samba Server (3)
• Get To Know Linux: Understanding smb.conf (3)
• Auto mounting a Samba share in Linux (5)
• Walk-through installation of OpenSuSE 11.2 (2)
• Simple GNOME Note Taking with Tomboy (1)

The Firefly Media Server (formerly mt-daap) is a fast DAAP server that is simple to install and even easier to configure. Firefly resides on a single Linux machine that doesn’t have to be a powerhouse. In fact, you can install this lightweight server on Ubuntu Server and you’re almost ready to go. In this article you will see how to do just that – install and configure Firefly Media Server on Ubuntu Server.

Features

The Firefly server has all of the features you will want in a DAAP server:

• Supports Unix/POSIX
• Beta for Windows in the works
• On the fly transcoding of OGG, FLAC, Apple Lossless, and WM
• User-created smart playlist support
• Integrates with iTunes and many other DAAP-supporting media players
• Serve streaming radio stations

Installation

Since we are installing on a Ubuntu Server, the installation is simple:

1. Open up a terminal (or just log into your servers’ console)
2. Issue the command sudo apt-get install mt-daap
3. Enter your user password

That’s it. Now it’s time to set it up.

Configuration file

There is only one configuration file for Firefly: /etc/mt-daapd.conf. This file is quite easy to set up. For a basic DAAP server, out of the box, there is really only one option you must configure. If you open up the configuration file look for the line:

mp3_dir = /home/media/music

This is the line you will need to change to reflect the directory you will serve your media from. For my setup I created a new sub-directory in /opt called music. Do this with the command:

sudo mkdir /opt/media

Now you have to make that directory readable by the DAAP server with the command:

sudo chmod ug+r -R /opt/media

Now all files and sub-directories created with the /opt/media directory will have the proper permissions such that the DAAP server can serve up the files.

Of course what you have just set up is a very basic DAAP server. There are a lot of other options within the configuration file you can set up, such as:

• servername: This is the name your DAAP server will broadcast. By default the server will be listed as Firefly RELEASE_NUMBER HOSTNAME (Where RELEASE_NUMBER is the release number of the Firefly installation and HOSTNAME is the hostname of the server.)
• password protection: This will cause any user attempting to access the DAAP server to have to enter a password in order to see the files.
• port: If you need to use a port other than the default (3689), configure it here.
• extensions: The file types you want to allow to be served by your DAAP server.
• Valid codectypes: These are the configurations for the format conversion. There are already lines for this in the configuration file – you just have to uncomment the ones you want to add for internal conversion.
• rescan_interval: If you want to enable background scanning you need to uncomment this entry and set an interval. This will enable you to add new files without having to restart the DAAP server to pick up the new files. Very handy if you frequently add new files.

There are other configuration options, but those are the ones you will want to focus on first.

Start the daemon

After your configuration file is complete, go ahead and move your media files into the directory and then start the server with the command:

sudo /etc/init.d/mt-daap start

With the server up and running you can fire up a DAAP enabled client, like iTunes or Songbird (Note: Songbird requires the addition of a DAAP add on), and you should automatically see the files on the DAAP server.

Final thoughts

Setting up a DAAP server is a great idea for a small internal network where you want to be able to share out a multi-media library. Anyone looking to set this up, and has a Linux server up and running, would do well to give Firefly a try. The simplicity, size, and speed of this server makes it the perfect candidate.

Related posts

• Songbird 0.7 RC1 Released (3)
• iTunes Music Server pulpTunes (7)
• Winamp iPod Plugin (5)
• View and Edit information of songs with More Tunes (1)
• The Complete Media Player Review (Part 1) (15)

Fortunately there is a tool for that. The tool? Spamassassin. Spamassassin is a very versatile SPAM tool that is part of the Apache Foundation. Spamassassin uses numerous means to detect SPAM including: DNS and Checksum based SPAM detection as well as Bayesian filtering, external programs, black lists, and online databases. These tools together make for a fairly powerful detection system.

In this article you are going to see how to install and configure Spamassassin to work in conjunction with Postfix to further enhance your email server.

Installing Spamassassin

Obviously the first thing you need to do is install Spamassassin. You will find Spamassassin in the Ubuntu repositories. And since this entire series has been laid on top of a Ubuntu Server installation, that is quite convenient. So, to install Spamassassin, open up your terminal window and issue the following command:

sudo apt-get install spamassassin

There may or may not be some dependencies to install in order for the Spamassassin  installation to complete. Go ahead and OK those. Once this installation is complete you are ready to start configuring.

Configuration

Before we actually get to the configuration it is important to understand the SPAM scoring system. With Spamassassin, messages are tagged as SPAM only when they have enough SPAM-matching characteristics (according to a scoring level). The scoring level is 0-5, however it’s not as simple as saying a 0 means it is 0% SPAM. The system is set up so that every characteristic can add to the overall score. For example a message tested to find a base64 attachment does not have a file name filtered with both bayes+net will add 0.224 to the over all score of the message. When all of the characteristic scores are added up, if they exceed the default score you have set in the configuration file, that message is considered SPAM.

Now that you have a basic understand of how the scoring system works. Let’s start configuring Spamassassin.

The main configuration file is /etc/spamassassin/local.cf. The first option you want to configure is the default score. Look for the line:

# required_score 5.0

The first thing you want to do is uncomment that line (by removing the “#” character) and then changing the score. A score of 5 is pretty high and sure to be SPAM. Understand the more you lower that score the likely you are of missing message messages that are tagged false-positives. A score of 3.5 is a fairly reliable score that will catch a lot of SPAM but not a lot of false positives.

Above this line are a couple of other options that are important. The first is the option to set the option:

report_safe

To 0. This option can be set to either 0 or 1. A zero means that if a message is found to be SPAM the message will not be deleted, but instead the subject line will be rewritten to include a message marking it as SPAM.  This is handy to prevent users from losing important messages to false positives. This also allows you to set a lower score threshold.

To do this first look for the line:

# report_safe 1

Uncomment this line by removing the “#” character and then change the “1″ to “0″ (no quotes).

The next step is to uncomment the line:

# rewrite_header Subject *****SPAM*****

Now you can alter the “*****SPAM*****” section of this line to reflect what you’d prefer it to say. Just make sure it is clear to your users that a message with this rewritten subject line is most likely SPAM.

Now restart the Spamassassin daemon with the command:

sudo /etc/init.d/spamassassin restart

Configure Postfix

The last step is to set up Postfix to use Spamassassin. To do this open up the file /etc/postfix/master.cf and look for the line:

smtp     inet    n   –   –   –   –   smtpd

You need to alter this line to look like:

smtp      inet   n   -   -   -   -   smtpd -o content_filter=spamassassin

Finally, at the end of this file add the following:

spamassassin
unix - n n - - pipe
flags=R
user=spamd
argv=/usr/bin/spamc
-e /usr/sbin/sendmail
-oi -f ${sender} ${recipient}

Now all you need to do is restart Postfix with the command:

sudo /etc/init.d/postfix restart

Your mail server should now be scoring incoming message as SPAM or HAM.

Final thoughts

The mail server is a tricky beast. You have to ensure that users are getting their mail, but you have to make sure they aren’t receive SPAM or viruses. After completing this series of articles, you should have a pretty solid server running that will send out mail that is safe for users eyes.

Related posts

• Trap Spammers with Project Honey Pot (4)
• Tinymail Email Protection (18)
• Reduce Spam by using alternative Google Mail Address ? (8)
• Phishing Explained (4)
• Introduction Series Part 1: Spam (0)

One of the best anti-virus systems for a Postfix server is ClamAV. This anti-virus tool kit is open sourced and can be used on all UNIX-like operating systems. It’s easy to install and effective. In this article we will be following our series started way back in the Installing Ubuntu Server 9.04 article. Of course we will be installing ClamAV on a Ubuntu server running LAMP and Postfix. With that in mind, let’s get busy!

Installation

The first thing to take care of is the installation of ClamAV. There are a number of tools you will need to install. Open up a terminal window and issue the command:

sudo apt-get install clamav clamav-freshclam clamsmtp

The above command should also pick up all of the necessary dependencies. The installation will also start the clamav daemon. You will restart that momentarily

Configuration

Once installed you have some configurations to take care of. There are three files you are going to have to edit:

• /etc/clamsmtpd.conf
• /etc/postfix/main.cf
• /etc/postfix/master.cf

The first file to configure is the clamsmtpd.conf file. The configuration in this file is simple. Look for the lines:

OutAddress: 10025

127.0.0.1:10026

Change them to:

OutAddress: 10026

127.0.0.1:10025

That’s it for the clamsmtpd.conf file. Now let’s move on to the heavier configurations.

Open up the /etc/postfix/main.cf file. Scroll down to the bottom of this file and add the following:

content_filter = scan:127.0.0.1:10025

receive_override_options = no_address_mappings

Save that file and now move on over to the /etc/postfix/master.cf file. Again, scroll down to the bottom of this file and add the following:

# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

Save that file.

Restarting

The first thing you need to do is restart Postfix with the command:

sudo /etc/init.d/postfix restart

Once that has restarted you need to restart clamsmtpd with the command:

sudo /etc/init.d/clamsmtpd restart

Now, if nothing has gone horribly wrong, you should have a virus protected Postfix mail server.

Updating signatures

You should never go without updating your virus signatures. This is critical for keeping your mail server virus-free as new viruses are created or old viruses mutate. Fortunately ClamAV has its own tool for this. You will need to go back to that terminal window and issue the command:

sudo freshclam

Which will update the signatures.

You might even add the freshclam command into the root users crontab for regular signature updates.

Final thoughts

Your Postfix mail server is getting better and stronger each day. Adding anti-virus is a critical step in the grand scheme of Postfix things. In our next addition to the Postfix series, we will add Spamassassin for anti-spam measures.

Related posts

• What is your Security Concept ? (9)
• Test your Anti-virus program (10)
• Stop SPAM in Postfix with Spamassassin (1)
• Secure Windows XP (0)
• Mail relaying made simple with Postfix (2)

In this article you are going to learn how to install Postfix on your already running Ubuntu Server 9.04. I am going to assume you have it networked and have a domain registered that you want to use. At the end of this article you should have a working mail server, ready for use.

NOTE: For the purposes of this article, I will use the fake domain “www.ubuntumail.net”. You will want to use your domain in place of that.

The first step is to install the software necessary. Since you already have LAMP up and running all you will need to do is install Postfix and it’s dependencies. To do this open up a terminal and issue the following command:

sudo apt-get install postfix

The installation will not only install Postfix, but will start the Postfix daemon for you. You will most likely want to test this installation by running the old telnet test like so:

telnet localhost 25

You should see something like:
Trying 127.0.0.1...
Connected to www.ubuntumail.net.
Escape character is '^]'.
220 localhost.localdomain ESMTP Postfix (Ubuntu)

If you do, success! Now you are ready to take care of the configuration steps.

Configuration

There is only one file you need to deal with in Postfix. That file is /etc/postfix/main.cf. There really isn’t much to configuring this file (for a basic installation – which is all we are dealing with right now).

To set your Postfix installation up for your domain you will want to open that file for editing like so:

sudo nano /etc/postfix/main.cf

The above command opens main.cf in the Nano editor. What you need to look for is this section:

myhostname = ubuntumail
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = ubuntumail.net, ubuntumail, localhost.localdomain, localhost
relayhost =
#mynetworks = 127.0.0.0/8
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

As you can see, I have already configured the above section to work with our sample domain. You will need to go through the above section and insert your domain where you see ubuntumail.net. You will want to pay close attention to the mydestination line. As you can see that line contains:

ubuntumail.net, ubuntumail, localhost.localdomain

This helps to avoid mailloops in Postfix.

Some people also like to use the mydomain parameter, but since mydomain is taken from $myhostname by removing the first part (unless that would cause the domain to be a top-level domain) it can be redundant. If, however, your mail server serves your entire domain, you will need to use the mydomain parameter. For that you would insert:

mydomain = ubuntumail.net

at the top of the section shown above.

Once you have that configuration saved, restart Postfix with the command:

sudo /etc/init.d/postfix reload

To reload the mail server.

Users

As this is a Linux box, you will want to make sure you have a user created for every email address you need to serve up. So create your users with your favorite user creation tool. Since you are most likely installing on a Ubuntu Server (sans GUI), you will be using the useradd command. You can accomplish this with the command:

sudo useradd -m USERNAME

Where USERNAME is the actual username you want to use. Next you will need to give the user a password with the command:

sudo passwd USERNAME

Where USERNAME is the actual username you want to use. You will be prompted to enter the password twice.

After you have entered the users, you can then test the mail server by sending an email from an external source to see if it arrives. If there is a problem make sure the first place you look is /var/log/mail.err.

Final thoughts

At this point you should have a basic, working mail server. Postfix does make this task much more simple than did Sendmail. In my next article I will cover adding Spamassassin to your Postfix mail server to keep SPAM from getting in.

Related posts

• Stop SPAM in Postfix with Spamassassin (1)
• Quickly check mails without downloading them (8)
• Mail relaying made simple with Postfix (2)
• Yahoo Mail, Search And Messenger Upgrades (2)
• Yahoo Mail Integrates Drop.io To Support 100 Megabyte Attachments (8)

Having a tool that can quickly, and regularly, take snapshots of your network landscape is critical to keeping tabs on your PCs. Of course you can shell out some budget dollars for a proprietary tool, but why bother when you can fire up a Linux machine and use the trusty Nmap tool for the job.

Nmap is a command line tool that rapidly scans a network gathering information about machines and ports. It is easy to use and flexible, making it perfect for the job of asset scanning. In this tutorial you will see how to set up a system that will regularly scan your network and create a report that can then be used to keep inventory of your networked machines.

Installing

Before we get to the actual scanning we need to install a couple of applications. Since I am using a Ubuntu system, we’ll run the installation using apt-get. With some simple modifications, you can do the same on a fedora system. The two applications to install are: nmap and ndiff. We use ndiff to compare the results of scans. To install these applications open up a terminal window and issue the following command:

sudo apt-get install nmap ndiff

You will have to accept dependencies, at which point the two applications will install. Upon completion of the installation, you are ready to scan.

Using nmap

Nmap is actually a fairly powerful tool. If you issue the command man nmap you will see just how powerful this tool is. You can also see how many arguments you can use with Nmap as well as what each argument does. Fortunately I will show you a simple command you can issue to make this a bit easier.

I am going to illustrate how these tools work together by running an nmap scan on a small internal network. I will then scan the network after making a change to one machine and see if ndiff catches the change.

The command for the scan is:

sudo nmap -n -PN 192.168.1.1/24 -O > network_scan

I will then run that same scan after making the change with one alteration:

sudo nmap -n -PN 192.168.1.1/24 -O > network2_scan


The above commands will output to the files network_scan, and network2_scan.

Once you have the two files you will compare them using the ndiff command like so:

ndiff -b network_scan -o network2_scan

The two options used are:

• b – Baseline.
• o – Observed.

You can think of Baseline as your control group.

Figure 1

The results of the command are shown in Figure 1.

The results show exactly what occurred in my network change. I shut down the machine associated with IP address 192.168.1.37.

Of course you could also get a much clearer picture of your network by combing through the results of the initial scan, but if you are looking for how your network topography has changed from scan to scan, using ndiff is the best way.

To see the full usage of both nmap and ndiff, take a look at the man pages. I will warn you, they are fairly complex. But this tutorial should give you a solid understanding of how the basics of the tools work.

Related posts

• Port Scanning Networking Tool SuperScan (1)
• Map your network with Zenmap (1)

With the help of the GNOME Nettools you can have a sweet collection of powerful tools that will help you to troubleshoot your network in no time. And this collection of tools is all wrapped up into a user-friendly graphical interface. So without any further adieu, let’s take a look at this powerful suite of tools.

Features

The GNOME Nettools includes the following tools:

• Devices: Have all information about your networking devices at your fingertips.
• Ping: Get detailed information using the ping tool.
• Netstat: Get detailed information about your routing table, active network services, and multicast information about your machine.
• Traceroute: Trace the path to a network host.
• Port scan: Scan for open ports on servers and desktops.
• Lookup: Get detailed information about a server.
• Finger: Lookup a users finger entry.
• Whois: Lookup a whois entry for a domain.

GNOME Nettools also features:

• Copy information to text report.
• Help system.
• Drop downs for previously entered addresses/domains.
• Easy to use GUI.

Now let’s take a look and see how this tool is used.

Usage

Figure 1

As you can see there has been no mention of installation. That is because GNOME Nettools is installed by default. In order to start up the tool you only have to go to the Administration sub-menu of the System menu. Once you have fired up the tool you will be greeted with main window at the Devices tab. This tab is where you gather the information about your installed networking devices. As you can see (In Figure 1) there is plenty of detailed information about my default eth0 interface. You can switch this to display information about any connected internet device you have on the machine by using the Interface drop-down.

The next tab, Ping, is where you can actually start troubleshooting networking issues. Ping is almost always one of the first tools I use, but I generally use it in command line form. Since most new Linux users prefer to not use the command line – you can still get your ping on with Nettools. Click on the Ping tab to reveal how the Ping tool works (see Figure 2).

Figure 2

By default the Nettools Ping tool will be configured for a limited 5 requests. You can up that number or even change it to an unlimited number if you need. In Figure 2 I have sent 5 ping requests to an internal server and received 100% sucess on my packets. I know this server is at least responding.

The other tools will all work exactly as you would expect them. One thing that is nice is as a tool is working you can switch over to another tool without disrupting the original tools task. This is especially nice when running a traceroute that can take a while (see Figure 3).

Figure 3

The traceroute tool will follow a path, hop for hop, to a destination you enter. In Figure 3 I ran a traceroute on www.google.com which ended before it reached its goal. This, of course, was only to show you the output of the traceroute (as there is not much I can personally do if my route to www.google.com is stopped outside of the boundaries of my network or my service providers network. But it gives you an idea of where the route stops. If this were a corporate issue, and the destination was one I had to reach, I would know precisely where the last known successful hop was (in the case of Figure 3 – after the 65.222.158.82 address).

I can then use the Whois tool to discover who is connected to that address. By clicking on the Whois tab and then entering the IP address above I receive the following information:

MCI Communications Services, Inc. d/b/a Verizon Business UUNET65 (NET-65-192-0-0-1)
65.192.0.0 - 65.223.255.255
SPLICE COMMUNICATIONS, INC. UU-65-222-158-80-D4 (NET-65-222-158-80-1)
65.222.158.80 - 65.222.158.87

If www.google.com were a critical address for me (and my company) to reach for work (or a host of my company’s web site) I could at least contact the owner of this domain.

Final thoughts

As you would expect, the rest of the Nettools tools work in a very similar fashion than their command line counter parts. The only difference? You don’t have to open up a terminal window to use them. No commands to remember, no commands to type. Just easy network analysis, with the help of a user-friendly GUI tool.

Related posts

• Ways to check if a website is really down (12)
• Internet Maniac Networking Software (2)
• eToolz Network Toolset (1)
• Who shares your shared hosting? (5)
• WebHopper Internet Traceroute Tool (2)

With Secure Shell there are a number of ways to use (and configure) this tool to make it more useful and more secure. In this article  you will learn five different (and handy) secure shell tips to make sure your ssh usage is as good as it can be. And for some basic secure shell knowledge, check out my article “Get to know Linux: Secure shell“.

Password-less logon

Have have dealt with this before (as a side note), but wanted to re-iterate this process. Because I use ssh so much I get tired of having to enter passwords constantly. Now I will preface this by saying only do this on a network you trust. Yes you will be logging into ssh with a certificate, and that certificate will be on your machine, but you don’t want to employ this method on a network that can not be trusted. With that in mind, here are the steps for setting this up.

On the local machine issue the command:

ssh-keygen -t dsa

This command will generate a public key that will be then copied to your server. During this creation process you will be asked for a password – just press enter to use a blank password for this. You will have to verify the password, so hit enter again. )

With the key created you have to copy it to the server you want to ssh into. To do this enter the command:

ssh-copy-id -i .ssh/id_dsa.pub username@destination

Where username is the username you will be logging into on the remote server and destination is the IP address of the remote server.

Now when you go to secure shell into that remote machine you will not have to enter a password.

Block root login

Although secure shell is a secure means of logging into your server, you do not want to allow root access (for obvious reasons). Blocking root access is simple. Open up the /etc/ssh/sshd_config file and look for this line:

PermitRootLogin

and make sure it is set to “no” (no quotes). So the complete line will read:

PermitRootLogin no

Once you have saved that file, restart the ssh daemon with the command:

sudo /etc/init.d/ssh restart

Now the root user can no longer log in remotely via ssh.

Enable X tunneling

Secure shell is made even more powerful when you can run a remote X application on your local machine. And what is better is that it’s not difficult at all. In order to allow X tunneling you will first need to open up the /etc/ssh/sshd_config file and search for this line:

X11Forwarding

and make sure it looks like:

X11Forwarding yes

Once that is set save the file, restart sshd, and you are ready to tunnel and X Windows application through ssh. To accomplish this you have to add the -X flag to your secure shell command like this:

ssh -v -l USERNAME IP_ADDRESS -X

Where USERNAME is the username you want to log in with and IP_ADDRESS is the actual IP address of the machine you are logging into.

Final thoughts

There are so many cool tricks and tips with secure shell, but the above three are, in my opinion, the most helpful. Have you come across a helpful ssh tip you’d like to share? Or are you looking for a particular behavior out of secure shell? If so. share with your fellow Ghacks readers.

Related posts

• Linux Command Line Fu (5)
• Get To Know Linux: Secure Shell (4)
• Yoggie PICO Personal Mobile Security Computer (3)
• With Ubuntu 9.10 Arrives Wubi 9.10 (2)
• Widgets for Linux: SuperKaramba (6)

For both of these needs there is another tool that works as a pretty impressive front-end for the wget command. That tool – Multiget. Now, before you assume Multiget is a Linux-only tool, it’s not. Multiget can be used in Linux, Windows, OS X, and the BSDs. This article, however, is about using Multiget in Linux (in particular – Ubuntu).

Features

Multiget offers the following features:

• Multi-task/multi-thread/multi-server usage.
• User-friendly interface (resembling Flashget).
• Multiple language support.
• Proxy support.
• Extension ignoring/capture.
• FTP anonymous pass.
• Panel icon.

Installation

Fortunately, for Ubuntu users, Multiget can be found in the Universe repository. All you have to do for installation is:

1. Open up your Add/Remove Software tool.
2. Search for “multiget” (no quotes).
3. Select the results.
4. Apply to install.

That’s it.

Usage

Figure 1

To start up Multiget go to the Internet sub-menu of the Applications menu and you will find the Multiget entry. Open that and the main window will start up (see Figure 1). The first step in downloading a file should be fairly obvious – you hit the the New Task button (denoted by the “+” symbol). Simple.

When you hit the New Task button  a new window will appear that asks for certain information. At least in the Linux release of Multiget, you might find a portion of this window that might stump you. As you can see (in Figure 2) in the Basic Info section you have four bits of information to add. The MAIN URL section is obvious – you copy and paste a URl into the this section. But wait a minute – you will find, if copying your URL from your default web browser, that as soon as you right-click a URL, and select Copy Link Location that URL will appear in the MAIN URL section and then automatically moved down to the Mirrors section. This is actually the only means of getting an address into the Mirrors section.

Figure 2

With that in mind, let’s use a few mirrors to quickly download the ISO image of the latest release of Ubuntu. To do this go to the Ubuntu Karmic page page. The first thing you will do is go to the main download page, right click the download link, and click Copy Link Location. Now go back to the main download page and select a mirror and do the same thing. You can add as many mirrors as you like – understanding the more mirrors you add, the faster the download will happen.

Once you have all of your URLs added (make sure you still have a URL in the MAIN URL section) configure the rest of the window (you should configure the SaveTo section at least) and then click OK.

As your file is downloading click on the Progress section in the bottom and you will see how the pieces of the download are coming together. As you can see (in Figure 3) I have five threads running to download the Ubuntu 9.10 ISO image. You can also see the overall progress bar as the green bar starting right under the icon toolbar.

Figure 3

During an active session you can increase or decrease the amount of threads given to a download. This, of course, can speed up your download. Naturally if you give too many threads to a download you might see your overall performance of either your machine or your general network connection degrade. At this point you can decrease the number of threads given to a download. To increase or decrease the number of threads go to the Task menu and select the appropriate entry.

During the download you can click on the Running section to see the information of your download. You can also pause your download by clicking the Pause button.

Final thoughts

Multiget is an outstanding tool to download large files using muliple mirrors and threads. As well it is just an overall outstanding front end for the wget command.

Related posts

• What’s Your Take on Downloading? (17)

There is one thing that most Linux backup tools have in common and that is their underlying technologies. In most cases one of the tools that make the GUI backup tools possible is the venerable rsync. Rsync is an incredibly fast and lightweight file copy tool that can not only copy files to and from a local machine, it can also copy over a network connection – which makes rsync an ideal candidate for user-generated backup scripts or cron jobs.

In this tutorial you will learn how easy it is to use rysnc to not only back up specified directories to an external usb drive, but also to backup over a network connection via ssh.

Command structure

The structure of the rsync command is:

rsync [OPTIONS] SOURCE DESTINATION

Where SOURCE is the location of the directory to be backed up and DESTINATION is where the backup will be placed.

Now the structure of the command changes when you are employing a network facility such as ssh. At that point the command structure would look like:

rsync [OPTIONS] ssh SOURCE user@destination:/directory

Where user is the user name on the remote machine, destination would be either an IP address or domain, and /directory is the explicit path to the directory you want to back up to.

Usage

For the first example we are going to backup the directory /home/jlwallen/Documents to the directory /media/disk/BACKUPS. This destination is a directory located on an external USB drive obviously mounted to /media/disk. The command for this backup will be:

rsync -avh /home/jlwallen/Documents /media/disk/BACKUPS

This is where we run into our first “gotcha”. What happens with the above command is that any subdirectory in /home/jlwallen/Documents will be created on /media/disk/BACKUPS. So if you want to create a similar directory structure on the destination you should first create a parent directory similar to that of the source. So before you run the rsync command issue this command:

mkdir /media/disk/BACKUPS/Documents

The new rsync command would be:

rsync -avh /home/jlwallen/Documents /media/disk/BACKUPS/Documents

The options used in the above command are:

• a: Archive mode
• v: Verbose mode
• h: Output in human readable format.

Now let’s backup the same source to a remote location with the help of secure shell. It will help your cause to first make sure you can log into the remove machine via ssh. Once you have that working you are ready to backup. Using our same example we are going to backup to user jlwallen at the IP address 192.168.1.10 to the directory /home/jlwallen/BACKUPS/Documents. To do this the command would look like:

rsync -avhe ssh /home/jlwallen/Documents jlwallen@192.168.1.10:/home/jlwallen/BACKUPS/Documents

The added option is e which allows you to specify the remote shell to use.

You will be prompted for the remote users’ password and then the coping will begin. But what if you don’t want to have to use a password? If you are wanting to set up automated, remote backups you will have to allow this process to happen without entering a password. To do this you have to create an SSH key without a password. Here are the steps for this:

create an ssh key on the source machine with the command:

ssh-keygen -t dsa

Press enter when prompted for a password.

Once the key is created copy that key to the destination key with the following command:

ssh-copy-id -i .ssh/id_dsa.pub username@destination

Where username is the user on the remote machine and destination is the IP or domain of the remote machine.

Now rsync copying can be done without having to enter a password.

Final thoughts

The nice thing about this setup is you can now use rsync to create a cron job for backup automation. Rsync is an incredibly flexible and reliable means for backing up your directories and files. It should be since it is the foundation that so many other backup tools were based on.

Related posts

• Get To Know Linux: Secure Shell (4)
• Zip Encrypt Ftp Backups (1)
• Yadis! Backup Software (2)
• Windows Backup Software: Backup Maker (18)
• Windows Backup Software DeltaCopy (11)

Much like DropBox, with Ubuntu One you do have to sign up for a service. And, as I mentioned in the previous article, Ubuntu One has two levels:

• Free: The free account offers 2 Gigs of storage space.
• Paid: The paid account offers you 50 Gigs of storage space for $10.00 USD per month.

Once you have signed up with an account, you can then install the client, and finally enjoy all the syncing between Ubuntu computers you need. In this article you will see just how to install the client and begin using Ubuntu One.

Signing up

Before we get to the installation process, we must first visit the sign up process. It’s actually quite easy. Go to the Ubuntu One Plan page and select your plan. Once you have signed up for your plan, you then can proceed to the installation process.

Installation

After you have signed up you can then install the software. I will assume you are using Ubuntu 9.04 for this installation. The first thing you need to do is make sure your 9.04 is up to date. So run the Update Manager (found in the Administration sub-menu of the System menu). Once that is done you need to add the correct repositories to your /etc/apt/sources.list file. There is a very simple way to add these repositories to your sources file. If you click on this link allow GDebi to install the .deb file which will create a file in /etc/apt/sources.list.d called ubuntuone-beta-sources.list with the following contents:

# Ubuntu One Beta PPA sources
deb http://ppa.launchpad.net/ubuntuone/beta/ubuntu jaunty main
deb-src http://ppa.launchpad.net/ubuntuone/beta/ubuntu jaunty main

Or you could add the above code to your /etc/apt/sources.list file.

I would suggest going with the automatic method, because it will also add the GPG key for you.

Once you have done that you can open up Synaptic (Not the Add/Remove Software tool) with the command sudo synaptic and follow these steps:

1. Search for “ubuntuone-client-gnome” (No quotes).
2. Accept all of the dependencies.
3. Click Apply to install.

Once installed you fill find the Ubuntu One entry in the Internet sub-menu of the Applications menu.

Using Ubuntu One

Figure 1

When you start Ubuntu One for the first time it will also start your browser to the Ubuntu One page. From this page you will need to create an account or sign in to your account. After you sign in you will then have to add the computer you are using to the account. You can add as many accounts as you need. After you add the computer the Ubuntu One icon residing in your GNOME panel will appear, show your files being updated (if there are any), and then the icon will disappear. If you want the icon to remain on the panel you just need to start the application again where you can then configure the icon to appear at all times (see Figure 1).

Here you can also configure Ubuntu One to start upon login as well as limit bandwidth usage.

If you find that the Ubuntu One icon does not show up after the initial sync, make sure you have it set up to connect automatically on start, log out, and then log back in. You should then see the Ubuntu One icon in your panel (see Figure 2).

Figure 2

The Ubuntu One icon you see in Figure 2 is the second from the left (between the Google Desktop icon and the DropBox icon).

You are ready to use Ubuntu One. You will find a new directory created in your ~/ directory called Ubuntu One. Any file you place in this folder will be sync’d with your Ubuntu One account. As soon as you add a file to this folder you will see it automatically start to sync with your Ubuntu One account.

Final thoughts

Ubuntu One certainly one-ups DropBox for simplicity. This tool will make using Ubuntu on the business level all the more easier. You will be able to easily sync all of your files between home and work. Give Ubuntu One a try.

Related posts

• Ubuntu Karmic Koala preview (23)
• DropBox Is Available For Everyone (4)
• With Ubuntu 9.10 Arrives Wubi 9.10 (2)
• Why you should switch your parents pc to ubuntu (20)
• Which Ubuntu Derivative Is Right For You? (16)

When you spend a lot of time creating and administering the web/mail server combination, it’s always good to have a solution that is easy to put in place. I have found one that I have used for a while now and trust its security and ease of use. This “system” uses a fairly complex iptables script that has just a single line that you will need to modify in order to have sound security for a web/mail server that serves up web pages via Apache on port 80 and mail via SMTP on port 25 and IMAP via port 143. Included in this script is the inclusion of port 25 for secure shell access.

You will be surprised how simple this script is to use. I have uploaded the script to a pastebin site which you can access using this address. Copy that script to your Linux server (for the sake of simplicity save it in ~/scripts, which you will create) and you are ready to set the system up.

Configuration

The only line you need to configure (unless you need to change the networking device name and/or want to include extra ports or remove ports from the script) is line 8. This line looks like:

SCRIPT_DIR="/PATH/TO/DIRECTORY"

What you want to have there is the location that will be filled with any IP address blocked by the firewall. For the purposes of this tutorial it will be saved in ~/scripts.

Once you have that edited you can save the file and call it start_iptables.sh. Now give the file executable permission with the command:

chmod u+x start_iptables.sh

Now create a new file called stop_iptables.sh. The contents of that file will be:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Make that file executable with the command:

chmod u+x stop_iptables.sh

The former script will start your firewall, the latter script will stop it.

Starting this script

You can start and stop this script any time you feel like with the command:

sudo ~/scripts/start_iptables.sh

If there are no errors you should see something like:

Starting IPv4 Wall…

You can also check to see by listing all of your iptables chains with the command:

sudo iptables -L

Stopping the firewall is done with the command:

sudo ~/scripts/stop_iptables.sh

Start at bootup

Now let’s make it such that the firewall script starts upon boot of the server (should the need arise).  Open up the /etc/rc.local file and add the line:

/PATH/TO/scripts/start_iptables.sh

before the “exit 0″ line.

Where /PATH/TO/ is the explicit path to the ~/scripts directory (you can’t use “~/” in rc.local).

The script will now start at boot.

Final thoughts

This easy to install firewall will add a level of saftey to your web/mail server that would be hard to come by with a GUI tool. And if you are using a headless (console only) server, it’s the only way to go.

Related posts

• Firestarter: Simple to use, powerful desktop firewall (6)
• Configure a Linux Firewall with Webmin (1)
• Build a Quick and Reliable Firewall with fwbuilder (3)
• Zonealarm Pro Firewall 2010 Promotion (5)
• Windows Vista Firewall Control (4)

Thanks to the Mozilla Labs there is Prism. Prism is unlike other proprietary solutions like Silverlight. Prism is basically a way to split web apps from the browser and run them directly on the desktop. Although not always as small as, say, a Google Gadget, Prism tools are far more functional and do not strip features from the tools you use. For example, if you are using the Prism Google Document tool, you will have a fully functioned instance of whatever app you are using. In this tutorial you will learn how to install Prism and some of the apps as well as configure shortcuts for your menu.

Installing

As you would expect, Prism can be found in your distributions’ repository. So to install, follow these steps:

1. Open up your Add/Remove Software tool.
2. Search for “prism” (no quotes).
3. Select Prism (and any apps you will want installed) for installation.
4. Click Apply to install.

Once installed you have a number of options available to you for starting applications. If you look in your Internet sub-menu in your Application menu you will most like find a number of Prism-enabled applications already there. You will also find an entry for the Prism tool itself. This tool is really the best place to start if your app isn’t found in the menu.

If, however, the app you want to use is found in the Internet menu go ahead and fire it up. You will notice that the Prism-enabled apps look and feel exactly as if they were in your browser – minus the browser menus, toolbars, address bars, etc.

But if you do not find the app you want to use worry not, most likely you will be able to get it working through Prism. Let’s use an Apple Web app as an example. If you take a visit to the Apple web application site you will find numerous applications you can use. Let’s use the DataCalc app as an example. When you visit the DataCalc page you will find the app URL – this is the URL you are going to use for the Prism app.

Figure 1

Now, go to the Internet sub-menu and click on the Prism entry. This will open up a blank Prism window with a smaller configuration window (see Figure 1). Enter the DataCalc URL in the URL text area and enter

Figure 2

DataCalc for the Name. Finally click the checkbox next to Desktop to add a clickable icon to your desktop. Click the OK button and the icon will appear on your desktop and a Prism window will appear with your web app running (see Figure 2). NOTE: You may have to set the icon as Trusted when you double click it. This will not only enable the icon to be clickable, it will also change the icon appearance. When you close out this Prism App, all you have to do to restart it is to double click the icon.

I have yet to find a means to add a Prism app menu entry when the app is installed in this manner. All Prism apps that are installed via Synaptic will have menu entries.

Final thoughts

We all know the desktop is trying desperately to evolve into a web app-based cloud. If you’re interested in getting a feel for what this is like, give Prism a try.

Related posts

• The reinventing of the Operating System (16)
• Opera Will Reinvent The Internet On June 16 (13)
• Mozilla Prism 1.0 Beta (8)
• Lotus Symphony on Linux: Install a part of “IBM’s Smart Work” (8)
• Google Docs Shares Documents Without Permisson (3)

With SecPanel you can create a profile for each of your ssh connections so that connecting is just a matter of opening up the tool, selecting the connection you want from a list, and clicking the Connect button. And for each profile you create, you can associate numerous configuration options. In this tutorial you will learn how to install and use SecPanel to manage your secure shell connections.

Features

SecPanel hosts a number of useful features:

• X11 tunneling  control
• SCP management
• IPv4/6 support
• SSH1/2 support
• Keypair management
• Trace window

and more.

Installing

Like most modern Linux applications SecPanel can be installed by following these simple steps:

1. Open up your Add/Remove Software utility.
2. Search for “secpanel” (no quotes).
3. Mark SecPanel for installation.
4. Click Apply to install.
5. Okay any dependencies.

That’s it.

Running SecPanel

Figure 1

You will find SecPanel in the Internet sub-menu of your Applications menu. When you click that entry to start up the application you will see the main window (see Figure 1) where you can start to add connections. You will notice in Figure 1 there are already profiles listed. Be default there will be none (you have to create them first.) So let’s illustrate how Profiles are created.

Figure 2

To create a new Profile click on the New button. This will open up the Profile editor (see Figure 2). In this window the only required options are:

• Profile Name: The name you want to give your profile.
• Title: This is the name that appears in the Connections listing window.
• Host: The address you want to associate with this profile.
• User: You can either supply a username that is associated with this connection or configure the connection to ask each time a connection is made.

With regards to the username: If you always connect to this server with the same username, go ahead and configure a user. If, however, you connect to this server with different usernames (depending upon what job or service you are tackling) check the “Ask” checkbox. With this configuration a small box will open, when you go to connect, asking you to first input a username.

Other important options to consider are:

• No agent forwarding: Do not allow public-key authentication.
• No X11 forwarding: Do not allow X11 tunneling (you will not be able to remotely run GUI tools).

When you have your profile configured to your liking click the Save button to save your profile. In order to connect to this profile you have to go back to the main window (click the far left icon under the menu bar), select the profile you want to connect to, and click the Connect button.

Keypair

You can also manage keypairs for ssh connections, from within SecPanel. To do this click on the Lock icon from within the main window. When this new window opens you can do things like delete hostkeys, generate keypairs, distribute public keys, add identities, and more. One of the more important tasks you can take care of is the generation of keypairs. The generation of keypairs with this tool is extremely simple. Even distributing public keypairs is made simple with this tool.  Note, however, you can only distribute your keypairs to the machines in your profiles. If a server is not in one of your profiles, you can not distribute a keypair to it.

Multi

If you have an application installed (like MultiXter or ClusterSSH) you can connect to multiple servers at once which is good for such tasks as sending the same command to clustered servers. You will first have to have a supported tool installed.

Final thoughts

If you manage a lot of ssh connections SecPanel is a tool you should certainly look into. If you are used to PuTTY on a Windows machine, you will be very happy with SecPanel.

Related posts

• Top Xp Freeware that every user needs part 3 (5)
• My Encrypted Tunnel (1)
• Fun Things to do with PuTTy and Linux-Routers (7)
• Control Servers from Mobile Phones via SSH (1)
• About PuTTy and Tutorials, including a PuTTy Tutorial. (3)

MTAs (Mail Transfer Agents) can be a tricky lot to set up. Add in to the mix something like relaying and you have all the ingredients for an installation NOT working. Fortunately Postfix isn’t nearly as complicated as Sendmail, so relaying isn’t something you need guru-level access to solve. In this tutorial I am going to show you how to set up Postfix for easy relaying. You can always add this to the Ubuntu Server series that started with the article “Installing Ubuntu Server 9.04“.

Installing Postfix

Just in case you haven’t already, you can install Postfix on your already running Ubuntu Server install with the command:

sudo apt-get install postfix

But I am going to assume you already have Postfix up and running already. And if you’re looking into relaying with Postfix, your problem is that you can receive mail, you just can’t send it. Let’s fix that problem.

Configure Postfix

The file you need to first take care of is /etc/postfix/main.cf. You will need sudo access so open this file with the command:

sudo nano /etc/postfix/main.cf

Now add this to the bottom of that file:

# SMTP Authentication
smtp_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd

NOTE: The portion starting with “smtpd_recipient_restrictions” and ending with “reject_unauth_destination” is actually one line.

NOTE: The portion starting with “reject_unauth” and ending with “sasl_passwd” is also only one line.

NOTE: The above assumes you are using Dovecot as your IMAP server.

The last line of the above should give you a hint as to what is next. Yes, you have to create a file, sasl_passwd, for Postfix to use as a password file. This file will be located in /etc/postfix/sasl/ and will look like the following:

address.for.relaying   username:password

Where:

• address.for.relaying is the actual mail server you will use for relaying.
• username is the username for authentication on the relaying mail server.
• password is the password for authentication on the relaying mail server.

The next step is to create the the sasl_passwd DB file so that Postfix has something it can read. To do this, issue the command:

sudo postmap hash:/etc/postfix/sasl/sasl_passwd

You should now see a new file in the /etc/postfix/sasl directory called sasl_passwd.db.

One file step before restarting Postfix. Because the password file is plaintext it should be secured so that it can not be read by just any user. Say, for instance, you want Postfix to only be read by the root user. For this issue the command:

sudo chown root:root /etc/postfix/sasl/sasl_passwd && chmod 600 /etc/postfix/sasl/sasl_passwd

Do the same thing with the sasl_passwd.db file like so:

sudo chown root:root /etc/postfix/sasl/sasl_passwd.db && chmod 600 /etc/postfix/sasl/sasl_passwd.db

NOTE: If you have need for a different user, you can chown the file to whatever user you want…just make sure it is a secure user.

You’re finished. All that is left is to restart Postfix with the command:

sudo /etc/init.d/postfix restart

Open up your mail client and text to see if relaying is now working for you.

Final thoughts

Gone are the days of the overly complicated (and insecure) Sendmail configurations. Setting up relaying is simple when you are using Postfix.

Related posts

• Install Postfix for reliable email delivery (8)
• Use Spamassassin for better SPAM detection (1)
• Stop SPAM in Postfix with Spamassassin (1)
• Quickly check mails without downloading them (8)
• Make Sendmail accept mail from external sources (1)

The problem with CAs is that they can be a bit costly – especially for the administrator running a free service, or even a small business without the budget for purchasing CAs. Fortunately you don’t have to shell out the money for CAs, because you can create them for free on your Linux machine with an easy to use application called TinyCA.

Features

• Create as many CAs and sub-CAs as you need.
• Creation and revocation of x509 S/MIME certificates.
• PKCS#10 requests can be imported and signed.
• Both server and client CAs can be exported in multiple formats.

TinyCA works as a user-friendly front-end for openssl, so you don’t have to issue all of the necessary commands to create and manage your CAs.

Installing TinyCA

You won’t find TinyCA in your distribution’s repositories. You can either add the necessary repository to your /etc/apt/sources.list file or you can install from one of the binaries found on the main page. Let’s use Ubuntu and Debian as an example for installation.

If you want to install using apt-get you will need to first add the repository file to your sources.list file.  So open up the /etc/apt/sources.list file with your favorite editor and add the following line:
deb http://ftp.de.debian.org/debian sid main

NOTE: Replace “sid” with the version you are using. If you are using Ubuntu 9.04 the example above will work.

Now run the command:

sudo apt-get update

You will notice that apt-get complains about the lack of a gpg key. That’s okay because we are going to install using the command line. Now issue the command:

sudo apt-get install tinyca

This should install TinyCA without complaint. You might have to okay the installation of some dependencies.

Using TinyCA

Figure 1

To run TinyCA issue the command tinyca2 and the main window will open. Upon your first run you will be greeted by the Create CA window (see Figure 1). When you already have CAs this window will not open automatically. In this window you will create a new CA.

Figure 2

The information you have to enter should be fairly apparent as well as unique to your needs. After you fill out the information click OK which will open up a new window (see Figure 2). This new window will contain configurations that are passed onto SSL during the creation of the certificate. Like the first window, these configurations will be unique to your needs.

After you fill this information out click the OK button and the CA will be created. Depending on the speed of your machine, the process could take a bit of time. Most likely the process will be completed within 30-60 seconds.

Managing your CAs

Figure 3

When your CA is complete you will be taken back to the management window (see Figure 3). In this window you can create SubCAs for your main CA, you can import CAs, open CAs, create new CAs, and (most importantly) export CAs. You can’t see the Export button in Figure 3, but if you were to click the down arrow on the upper right portion of the window you would see another button you can click to export a CA.

Of course you have just created a Root Certificate. This certificate will only be used for:

• create new sub-CA:s
• revoke sub-CA:s
• renew sub-CA:s
• export the root-CA:s certificate

For anything other than the above you would want to create a SubCA. We’ll discuss creating a SubCA that can actually be used for your website in the next article.

Final thoughts

TinyCA takes a lot of work out of the creation and management of certificate authorities. For anyone that manages more than one web site or server, this tool is certainly a must have.

Related posts

• No related posts.