In one of my previous post I made a tutorial how to bypass corporate firewalls and gain access into your office computer. It work well if you are at your home and you need ssh access (or any other service) to your office computer. However if the situation is reversed, and you need to access some outside service which your firewall is blocking then you would use this little tutorial with explanations. Although all this is covered in the ssh man pages, one always learn best by real life examples, so here I’ll try to cover few of them. So to better explain our first problem look at the picture below:

The first problem

We are located at office computer which is behind the very restrictive firewall and we want to get to the non-standard service running on the remote server.

So normally if I use for example Mysql Administrator to connect on my MySql database on a remote server, that communication would happen on port 3306, and for this to work Mysql Administrator must have appropriate rules set in our firewall to allow that traffic. But what if traffic on that port is blocked?

Here is where we come to ssh port forwarding. If we have ssh access on any outside computer we can route our traffic through the tunnel and gain access to the service via standard ports. ^{( solution )}

The second problem

Ssh tunnel can be also used to establish connection from insecure networks to standard and non-standard services inside secured, firewalled network as shown in picture bellow:

As you can see here, server is behind the firewall and all the standard ports on that server (like http, pop, imap…) are allowed, but the server is also running mysql service which is listening on port 3306, to connect to it server’s firewall should allow this incoming connection. But what if it doesn’t?
What if the network from which we are connecting is insecure and we wish to maintain our data private while communicating with our trusted, firewalled network?
Again we can solve this problem with ssh port forwarding. If we have clear and working ssh access on the server or any other machine in the firewalled network, we can route our traffic through that ssh connection ^{( solution )}.

Solving the first problem

^{( problem )}
So if our firewall is very restrictive (inbound and outbound), and you don’t have control over it you can use ssh port forwarding. Essential things you need are: allowed ssh traffic on your restrictive firewall, port 22 by default, a remote server to which you can connect via ssh, and preferably control over that remote server’s firewall. If even port 22 is blocked in your restrictive firewall you can setup your outside ssh server to listen on some other port that is allowed through your firewall, and than use -p switch in your ssh command to connect on your server. If you don’t really know anything about ssh, you can always read ssh basics and than come back here.

So in our real example we want to connect to mysql service running on remote server and our firewall won’t allow it. We have ssh access on that server so we will use it to tunnel this traffic.

To start up this tunnel this command will be used:

ssh -L 3306:localhost:3306 username@server

So this will actually open up a port 3306 on our local computer listening on loopback interface through established ssh connection on to server’s port 3306. If we already have mysql server running on local machine then the port 3306 is already in use, so we need to use another port on our loopback interface, so the command would look like:

ssh -L 3307:localhost:3306 username@server

Then we use our service client, in this case Mysql administrator and instruct it to connect to 127.0.0.1 at our specified port.
We can use the same command to tunnel any other port and or service this way.

Extending this example

We can also use this connection method to our remote server for routing traffic to some other servers. Of course our remote server must to be able to connect to that remote service.
This is usually very popular to forward traffic to some online games running on non standard ports, EvE, Warcraft, and any other game (this might produce additional lag on FPS games).

As shown on picture, for example we have outside gaming server running at port 66732, and of course that port is blocked in our firewall. We can use our remote server with ssh connection to establish a ssh tunnel and then route that traffic to our local computer.

To do so we would use this command:

ssh -L 66732:remote.gameserver:66732 username@our.server

On our loopback interface (127.0.0.1), this will create a listening port 66732 which will be then forwarded to remote.gameserver’s port 66732 through our ssh connection on port 22.
All you need to do is instruct your game client to connect on localhost. This can also be used in constructive purposes, like using your remote shell server to route traffic this way to remote mysql server on which you don’t have ssh access but is available to your remote server via 3306 port.
Bare in mind that your remote ssh server will have to be able to connect to remote.gameserver/mysql server on appropriate port, it your remote server have any outbound firewall rules filtering this traffic, this example will not work until you open that port.

As with reverse ssh port forwarding we can make this connection available to other computers on our LAN by specifying listening interface while establishing the tunnel. I’ll go with remote gameserver example and enable our co-workers to connect via same ssh tunnel to remote gameserver without them needing to create their own tunnels.

If you have multiple network interfaces on your computer you will specify the one whit which you are connected to your co workers, but you can also enable it on all interfaces like this:

ssh -L 0.0.0.0:66732:remote.gameserver:66732 username@our.server

when you do netstat -ntl on your machine you will see it’s listening on 0.0.0.0:66732 port. Your co-workers can now connect to your’s office pc ip on that port and their connections will be also tunneled via this established ssh connection. Bare in mind that the remote.gameserver will see all the connections comming from our.server so if the remote.gameserver have any per ip connection count limit this will obviously be a problem.

Solving the second problem

^{( problem )}

How is this problem different form the first one. In essence it’s not, only differences is that our firewall is permitting the non standard traffic, or we don’t even have a firewall to worry about, but the server’s firewalled network is very restrictive and its blocking our non standard ports. Ssh tunnel commands used in this example will be the same. However I can use this example for demonstrating why ssh tunnel can be useful for.

Say we don’t have the firewall and port limitations, but we are temporary on insecure network and server is on secured/trusted network. If we were to use any of the old plain test services like ftp, pop3, imap, synergy, etc… malicious hosts/users can sniff out that traffic and find out any usernames and passwords sent via plain text. Even the contents of the connection. So here’s were ssh tunnel steps in again.

We can start an ssh tunnel from our insecure network to our secured server’s network and tunnel any plain text/insecure traffic through it. By default ssh tunnel binds its self to loopback interface on our computer, which malicious network user doesn’t have the access to, and as the ssh is encrypted, all the traffic passing through this tunnel will be plain gibberish to any malicious user sniffing our traffic on this insecure network.

Just like in one of the previous posts (secure synergy setup) we will use this tunnel to secure our traffic from eavesdropping. Ftp actually has sftp (ftp over ssh) so if you already have ssh you will want to use that instead of tunneling ftp traffic, but if for any reason you are not able to use it then this should work as well.

I’ll take my example on pop3:

We establish ssh connection to secured remote server and tunnel the port 110 on our loopback interface to server’s 110 through established ssh session.
Then we connect with our mail client to localhost and preform plain text pop3 authentication through secure ssh tunnel.

ssh -L 110:localhost:110 user@secure.server

If you don’t have the access to the mail server’s ssh then you can use another ssh host on secured network to route traffic with this:

ssh -L 110:mailserver:110 user@secure.server

Few useful tips

As mentioned few times before, perhaps the firewall will not allow standard ssh ports through, or your ssh server is running on different port in which case you should use -p switch with ssh. For example your ssh server is running on port 2210 then to forward pop3 traffic you would use:

ssh -p 2210 -L 110:mailserver:110 user@secure.server

You can also speed things up by using ssh-keys and ssh-agent

And of course if you wish to use your ssh connection only for port forwarding an wish to put it into background you would use:

ssh -N -f -L 110:mailserver.110 user@secure.server

And from here it’s all combinations of above used commands.

Have fun!

Related posts:

1. Bypassing corporate firewall with reverse ssh port forwarding
2. SSH basics
3. Migrating to new web hosting

I’ve being playing around with Sun’s Opensolaris for a while and I’m quite pleased with it to say at least.
Opensolaris 2009.06 comes with few nifty features and software like dtrace, zfs, COMSTAR, etc.

I tried it a while ago as a desktop system, and was quite presently surprised with ZFS and its snapshots so I played little more with it. I do plan to make another post on this subject alone but mine main intent of this post will be to help you setup an Opensolaris server, without GUI who will use its, I would say best quality, zfs and other set of tools like COMSTAR to provide scalable, high performance, low budget, storage server.

Since I intend to use this post for future reference in some setups I will try to keep it straightforward and just explain basic setup for get the non gui Opensolaris up & running with COMSTAR and additional zfs pool with single simple iSCSI target.

I will be using a Opensolaris 2009.06 (you can download LiveCD image from this link), a simple low budget hardware with three sata hard drives.

Installing Opensolaris

After you downloaded Opensolaris iso image burn it to a CD and boot your computer with it.
When the cd boots you should get a screen like this:

If for some reason you end up with user/password prompt the default username is:jack and password is:opensolaris

Anyways, double-click on Install Opensolaris icon located on the Desktop. Setup wizard will show up which will guide you trough the setup process.

On the Disk selection step I will chose my smallest disk from 20Gb to be used as system disk, and leave those other two disks intact at the moment. Whole installation will take up about 3Gb of storage so the 20gb disk should be ok for now.

After the installation is done remove your installation CD and reboot the system. When system is booted you will find yourself in Gnome graphical environment. We won’t remove it just yet since we need to make our new opensolaris box available on the network. If you might have a dhcp server somewhere on the network opensolaris will pick up an IP address and configuration from it. I don’t usually use dhcp and I do prefer to use static IP addresses. So let’s get started with that first.

Configuring static IP address

Since I’m doing a local lab installation my Ip addresses are non Internet routable, replace them with IP addresses suitable for your needs.

Login to your desktop as normal user, open up your terminal and follow these steps:

su -

enter the root password when asked.

svcadm disable network/physical:nwam
svcadm enable network/physical:default

Now let’s find out our network interface names:

dladm show-phys

echo 192.168.2.200 > /etc/hostname.e1000g0
echo opensolaris > /etc/nodename

Next we need to edit the hosts file:

nano /etc/hosts

Make it look like this:

192.168.2.200 opensolaris opensolaris.local loghost
::1 localhost
127.0.0.1 localhost

now edit a netmasks file:

nano /etc/netmasks

and append the line

192.168.2.0 255.255.255.0

Now run this:

ifconfig e1000g0 plumb
ifconfig e1000g0 192.168.2.200 netmask 255.255.255.0 up

Now, if you would like to use a DNS for name resolving you must configure resolv.conf file

nano /etc/resolv.conf

it should look something like this:

domain localdomain.com
       nameserver 192.168.2.1
       nameserver 192.168.2.2

now run:

cp /etc/nsswitch.dns /etc/nsswitch.conf

All we need to do is configure a default route:

echo 192.168.2.1 >> /etc/defaultrouter
route add default 192.168.2.1

Now reboot your server and verify the changes are persistent.

Removing unnecessary packages

Your server should be available trough ssh so use it for further configuration.
To remove gui from our opensolaris installation we will be using minimization script bundled with http://kenai.com/projects/isc/pages/OpenSolaris
To do so we would need mercurial so let’s install it with:

pfexec pkg install SUNWmercurial

Next we will get the script with command:

hg clone ssh://anon@hg.opensolaris.org//hg/isc/src  isc

after script checkout run it with:

pfexec isc/opt/samples/minimization.ksh

Make sure you don’t execute this command from graphical interface since it will be removed. As the matter of fact script will remove all non essential packages and disable service not needed for running opensolaris as a server.

Installing and configuring COMSTAR

By now we should have a clean, fresh, and minimal opensolaris box, now it’s time to add some functionality to it.

To install it just enter:

pfexec pkg install storage-server

This will install all the required packages and services.
First thing to do is enabling stmf service. By default the service is off, to enable it type:

pfexec svcadm enable stmf

now runing:

svcs stmf

should say the service is in maintenance mode. This is due to drivers not being loaded to kernel immediately after install, so we need to reboot the server in order to get this service running (still searching a way to circumvent the reboot process).

After reboot is complete verify that the service is running:

branko@opensolaris:~$ svcs stmf
STATE          STIME    FMRI
online         17:07:54 svc:/system/stmf:default
branko@opensolaris:~$ pfexec stmfadm list-state
Operational Status: online
Config Status     : initialized

Configuring zfs pool

Now for the rest of this post we will setup additional zfs pool, and configure one basic iscsi target on it.

Remember our two unused disks at the install?
Well let’s make another zfs pool on them. If you don’t have additional disks, you can skip this step and configure iscsi target on already existing zfs pool.

Let’s find out which disk we are already using:

su -
zpool status

You should get something like:

  pool: rpool
 state: ONLINE
 scrub: none requested
config:

        NAME        STATE     READ WRITE CKSUM
        rpool       ONLINE       0     0     0
          c8t0d0s0  ONLINE       0     0     0

errors: No known data errors

Note the disk name already in use is c8t0d0s0. Now to find out what other disks are present on the system let’s use format command:

format

Now program will launch interactive shell and should display something like this:

Searching for disks...done

AVAILABLE DISK SELECTIONS:
       0. c8t0d0 
          /pci@0,0/pci1000,8000@14/sd@0,0
       1. c8t1d0 
          /pci@0,0/pci1000,8000@14/sd@1,0
       2. c8t2d0 
          /pci@0,0/pci1000,8000@14/sd@2,0
Specify disk (enter its number):

If your disk doesn’t show up try entering

devfsadm

prior to format command.

Hit the CTRL+C key combination since we actualy don’t want to format any disks.
Now we found additional two disks by lables c8t1d0 and c8t2d0

To make new zfs pool with them we will enter following command:

zpool create data mirror c8t1d0 c8t2d0

where “data” is the name of the new pool, mirror is type and c8t1d0 and c8t2d0 are devices for this pool.

Let’s verify the pool existance:

zpool list

Should print out:

NAME    SIZE   USED  AVAIL    CAP  HEALTH  ALTROOT
data   99.5G    76K  99.5G     0%  ONLINE  -
rpool  19.9G  4.43G  15.4G    22%  ONLINE  -

or

# zpool status data
  pool: data
 state: ONLINE
 scrub: none requested
config:

        NAME        STATE     READ WRITE CKSUM
        data        ONLINE       0     0     0
          mirror    ONLINE       0     0     0
            c8t1d0  ONLINE       0     0     0
            c8t2d0  ONLINE       0     0     0

errors: No known data errors

And now we have a brand new zfs pool for storing iscsi targets.

Creating iscsi target

Let’s start with creating 10Gb zvol which we will export as iscsi target. We will use -s flag for sparse so we can thin provision our targets.

zfs create -s -V 10g data/iscsitarget

Now let’s see the volume:

# zfs list data/iscsitarget
NAME               USED  AVAIL  REFER  MOUNTPOINT
data/iscsitarget    16K  97.9G    16K  -

Now, let’s create a logical unit using this volume:

sbdadm create-lu /dev/zvol/rdsk/data/iscsitarget

It will return:

Created the following LU:

              GUID                    DATA SIZE           SOURCE
--------------------------------  -------------------  ----------------
600144f01cdf4f0000004af6f28b0001      10737352704      /dev/zvol/rdsk/data/iscsitarget

Verify the creation with:

sbdadm list-lu

To make a logical unit available to all hosts type:

stmfadm add-view 600144f01cdf4f0000004af6f28b0001

where 600144f01cdf4f0000004af6f28b0001 is your lu GUID

Enabling iscsit service

first we need to install SUNWiscsit

pkg install SUNWiscsit

Then check service states:

# svcs -a | grep -i iscsi
disabled       17:07:06 svc:/network/iscsi_initiator:default
disabled       18:07:47 svc:/network/iscsi/target:default
online         17:40:45 svc:/system/iscsitgt:default

Disable iscsitgt

svcadm disable iscsitgt

and enable the iscsi target service

svcadm enable -r svc:/network/iscsi/target:default

Make sure it’s started:

svcs -a | grep iscsi

if it ends up in maintenance mode, reboot your machine and check again.

If the output is something like:

online  14:21:25 svc:/network/iscsi/target:default

Creating a target for discovery

If the service is started create a target with:

itadm create-target

Verify target creation:

itadm list-target

and link iscsi devices to local system:

devfsadm -i iscsi

you should now see this logical volume on your iscsi initiators.

And that would be all for now. In some future posts I will describe more usage examples based on this setup.
Until next time…

Related posts:

1. Howto create rsync server

So i decided to make a little different post than usual, a little more thoughts based than tutorial alike.
I would like to take a brief overview of todays memory usage for various tasks and scripts. Since large part of my the day is involved in web servers and their management I will mainly focus on memory usage for web applications and scripts.

Not so long ago, having a server with 4Gb of  working memory was a luxury, today we have certain scripts consuming about 512Mb of memory while running. What changed?
Internet boom, popularity of web 2.0 applications, ease of development, bunch of those learn programing in 21 days books and tutorials, that is what happened. In addition there is a whole bunch of people from “I want Internet” generation who still don’t quite grasp the difference between RAM and Disk memory, not to mention they don’t quite grasp the inner mechanics of computer systems.

Sir… the white smoke got out of your metal box… you must refill it with white smoke to make it work again

Well, like it or not those people like to call themselves web masters and web developers.

I’m not claiming to be an über-pro programmer or that I posses some super natural insight in programing, but I usually do like to use common sense when I’m involved in developing something.

Over the time I witnessed some pretty messed up code. Ranging from abstract syntax to heavily demented processing logic. Mainly in web development problems lie in those books teach yourself php in 3 hours. As it is covered in this fantastic article learning some programing language takes time. You can’t just learn to program in few days. What you can do is learn some basic syntax and few useful functions. First problem I encountered trough passed few years with such developers is url_fopen. I covered those cons and pros of curl vs fopen article, but the point is learning PHP from 21 days book will never explain you this.

Same thing goes here with memory management and some script logic. Usually those books tend to have simplistic approach, and usually don’t bother much with script optimizations for heavy usage. Learning PHP in that way new programmers tend to write unoptimized code.

Few years back I had a “clash” with one of those newbie developers. He actually developed something on his local machine, tested it and released it into public. This even worked for some times while he was in some sort of marketing phase still advertising his new product. At some point his php script started to throw “memory exhausted” errors. After a short while he contacted me and said

Hey… what is wrong with your web server? I still have a plenty of disk space available, why is he throwing this error? You must have miss-configured it!

Doh! Well I’ll skip the part of explaining him the difference between memory and disk space, and few other arguments and get to the point what was wrong with the script.
Script was tested in lab environment, populated with only basic entries and not so well tested with multiple users requesting multiple data, with extensive data growth over time. The script literary massacred the MySql server with some joins on tables without any indexes ranging in size from 40-50Mb in size an few millions of records. Needles to say almost all the data was put into php array for later processing thus exceeding the php memory limit.
While there was less data and less users script worked since the array didn’t leave the configured memory limit.

Usually joins in mysql query can be avoided, and server will return the requested data faster. But the root cause of his problem reporting was this php memory limit. And the simple answer for this problem is partial data processing.

Get some data from mysql -> put it to variable -> process it -> free the memory -> repeat the process until done

With proper query you will give some slack to mysql server, you will lower the memory usage of the script and so on….

Although this type of problem with “one man band” developers making some applications for themselves is a problem, a much larger problems are those kinds of developers hiding behind some big and widely spread open source web applications like Joomla, Drupal, phpBB etc and even some paid web applications.

Here we have a problem with people not yet involved with programming but they still own and make new sites based on some of those free open source applications. Applications are so widely used across huge amount of sites that they gained some kind of authority status saying we make good stuff.
Problem here is since it is open source any developer (even those newbie ones) can contribute to the source. Not so much to the core of the application but as a plugin. Plugins are installed separately and usually involve some risk of bad developer practice.

One of such plugins that I will take for an example (nothing personal it’s just a fresh memory) is  jom_sef.
While very useful for SEO optimizations of certain parts of site this plugin actually loads every time a visitor loads or reloads your site. This plugin also reads a bunch of records from his mysql table and puts it into some sort of array. Remember my newbie developer from before? This plugin generally works while there is a low count and volume of data that he needs to process. But at some point it stops, and users find themselves in weird situation.

First thing to do for them are to contact their host provider with the same question

Hey, this thing worked all this time! What did you do to the server? Make it work.

Some may bother explaining to the customer what just happened, and they will accept it for what it is. Some will just increase the memory limit until next time. And some will just fight the never ending battle with the customer. Customer will complain on the public forums, community or even the developer of the plugin itself will advise customer to change the company since it all works like a charm (yes but on low traffic, no data website).

Now regardless of the battle outcome, let us review this from the server side. Weather you have shared or dedicated server of your own you have to consider this problem from the server side.

Your dedicated server will have for example 4Gb of RAM. Let’s say that the mysql server is located on the same machine and it is using about 600Mb to 1Gb of memory depending of the usage. Let’s say we will take aprox. 300-400Mb of memory for basic system usage, and that much for mail system. That leaves us with aprox. 2Gb of memory for our webserver. So let’s enable the jom_sef and let us give it the 64Mb memory limit per php child. Since jom_sef will load each time visitor comes to our site and each time it will consume near 64Mb of memory that leaves us with 32 concurrent users.

Well what’s wrong here? Is it the server and it’s setup… or is it the script?

Fact is servers are getting bigger and bigger each day. It’s not so uncommon to find a +24Gb of RAM shared hosting servers which may tolerate your memory consumption until some point. But when you reach that limits shared hosting servers will usually cut you off. Increasing memory limits beyond that is a risk. Memory overallocation will most certainty bring your server into unusable state.

Common sense is very uncommon.
~Horace Greeley

Common sense from one of those people, that believes “white smoke” is the power behind the computers, is that something is terribly wrong with the server. He is paying much more for his dedicated server than his colleague for his shared hosting, but his script is not working, server is “dying”!

Well if you are a “white smoke” believer let me try it this way.
You will pay a great deal of money for your Ferrari, but if you take it to the woods and chop some trees then hook up let’s say 32 of those trees onto the back of your Ferrari, will it move?

On the other hand we have some great software and plugins like for example WordPress and wp-supercache where we can run entire system, mysql and our website in just a 512Mb of RAM for bunch of concurrent users since they will be served with pre-generated static pages.

So the conclusion I guess would be:

If you believe in “white smoke” please hear the advice from your sysadmin. If you on the other hand just finishing with your “Learn php in 21 days” book, please don’t jump into developing some public available software. Make as little damage as you can. Keep the planet green, reduce the number of servers needed for running the web.

Hope this helps someone to make some sense into some developers and users.
And for all of you frustrated with the same things please leave the message after the beep!

— Beeeep —

Related posts:

1. Migrating to new web hosting

There are tons of reasons why would one want to create a rsync server. For example you wish to backup your data to a remote server but you don’t want to backup everything every time.

rsync is an open source utility that provides fast incremental file transfer. rsync is freely available under the GNU General Public License and is currently being maintained by Wayne Davison.

As you can see rsync is ideal for this. You can use it within ssh protocol, rsh and rsync itself. Creating a rsync server will allow you to create easily accessible storage server, update server for your scripts, etc.

Anyway let’s get started on configuring rsync server which will serve as remote backup server.

Ok first make sure you have tcp and udp port 873 open in your firewall.
Next install rsync on your machine (if you don’t have it yet), and xinetd as well.

We will make rsync available trouh xinetd so you must enable it by editing its conf file

edit the line saying:

disable = yes

so it says:

disable = no

so the entire file should look something like this:

service rsync
{
       	disable = no
       	socket_type     = stream
       	wait            = no
       	user            = root
       	server          = /usr/bin/rsync
       	server_args     = --daemon
       	log_on_failure  += USERID
}

Next we want to create rsync client username and password

and enter a username and password in format:

yes it’s plain text.
Let’s create a rsync server conf file:

now here enter:

#maximum allowed connections
max connections = 10
#where to log
log file = /var/log/rsync.log
timeout = 300

Now to create a share using a password and being able to send files to rsync server we will add this to our /etc/rsyncd.conf:

[backup]
comment = Backup place for my office computers
path = /backup/
read only = false
list = yes
uid = backup
gid = backup
hosts allow = 192.168.0.0/24 # i want to limit the rsnyc server only to this group of hosts
secrets file = /etc/rsyncd.secrets
auth users = username #enter username specified in secrets file

Now what we have here is a rsync server module at path /backup which will allow only hosts within 192.168.0.0/24 network and users authenticated by username specified in secrets file.

To make sure this will be somewhat secure let’s change permissions on rsync config files

Restart the xinetd

and voila.

Let’s go test it out from one of our clietn hosts:

So to actualy backup something onto this host we would use:

the command would ask us for a password specified in secrets file.
After successful login rsync will start to transfer files to remote machine.
Next time we start it it will only transfer the differences since last time.

If you would like to script this entering a password could be a problem. Luckily rsync offers a solution in password file.

enter your password here and chmod this file to 600 so it’s only readable by you.
start the rsync with following command:

Ofcourse this could be done in reverse.

To setup another share for download only we would create a read-only share without passwords.
just append this to your /etc/rsyncd.conf file:

[update]
comment = update downloads
path = /home/branko/update
read only = true
list = yes
uid = branko
gid = branko
hosts allow = 192.168.0.0/24

Restart the xinetd

Now you may see there is no auth user or secrets password. So when we issue the rsync command on our server again:

you will se another module available by the name update.

to rsync content from this module just use:

Related posts:

1. Opensolaris server with COMSTAR and zfs
2. SSH basics

So recently I went nuts having to login onto each server to look at its munin graphs. While you have few servers it’s doable, but managing large farms and checking up on them while having to login into each is just pain in the ass.
So what to do?
Hey… let’s make a central munin server, and let’s hold all the graphs there. That way we can review them all with just one user name and password, we can compare host performances, etc…
To accomplish this we will need one server for centralized graphs (could be a low budget dedicated server or a small vps), apache installed on central munin server, munin-node installed on all other server we wish to monitor.

Installing munin

So this will be a minimal install for a central munin server. I’m using a small vps with minimal centos install.
First let’s setup elrepo

Now we need to install munin and munin-node (if you wish to monitor this host as well).

by default munin will put its html files into /var/www/html/munin folder
If you wish to move that to another place, now is your time. For the sake of simplicity I’ll just leave it where it is.
Of course we will need apache to access those munin html files, so if you don’t have apache installed do:

now start the apache

If you left everything as it is munin html should be available at:

http://yourhostname.com/munin/

You may notice that there is nothing there yet, just wait until we configure all other hosts.
start the munin-node on this host (if you installed it)

Make sure your cron is runing

and let’s go configure those other hosts.

Installing munin-node

Installing on cPanel

Since lot’s of my servers to monitor are with cPanel installed there is an easy way to install munin.

Login to your whm go to: Manage plugins, now find Munin, click a check box, scroll down and click save.
After the munin is installed it should appear in your whm at the bottom of the navigation.
Go and check up if the munin is installed correctly.

Installing trough cPanel will install munin-node and munin, you can disable the munin graphing later if you like.

Installing on non cPanel

We can install munin on Centos trough Elrepo.
first we will setup elrepo

and then install a munin-node:

voila… let’s configure nodes on remote servers now.

Configuring munin-node on remote hosts

For both cPanel and non-cPanel servers all we need to do is add allowed host in munin-node.conf

add at the end of the file:

where 192.168.0.20 is the ip address of you central munin server.
restart the munin-node:

If you have firewall installed on that host (and I hope you do), allow the incoming tcp port 4949 for the ip of the central node.

In csf add the following line:

to your /etc/csf/csf.allow file
or just run:

Modify this to your firewall, and don’t forget to replace 192.168.0.20 with your munin server
Now everything should be ready for data collection from central server

Configuring munin server

All we need to do now is to configure the munin

If you didn’t change any locations of html files and munin datastore you realy don’t need to change that in the conf file.

What we are interested with are the host sections. You will notice there is configuration for our localhost
You can change its name now, leave the address field as it is.

To add up a new host just add:

change the 192.168.0.10 with the ip of the server you wish to monitor.
you can now add as many host you like.
Make sure that you have enabled outgoing connections on tcp port 4949 on your central munin server.
After a while the first results should start to appear.

Configuring multi host display graphs

The real benefit of having all the host graphs and data on one place is you can easily make multi host graphs and compare the loads on the servers. This could help you grasp a bigger picture of individual server workloads and give you an idea what to improve and how to load balance between the machines.

Here is one of the example graphs, showing apache request per second. If the machines were the same hardware configuration that would give indications that some of the machines have higher hit rate and we would need to rewrite our load balancing.

We could do the same thing with load graphs and see which servers have the spikes, and distribute the workload on some less loaded servers.

So how do we configure this?

First you need to find out rrd’s name of the data you wish to put on the graph.

for example apache accesses per second:

ls -lh in the directory and you will find out what data is available to munin.
in case of the apache accesses data we will have few files named:

hostname.domainname.com-apache_accesses-accesses80-d.rrd
hostname2.domainname.com-apache_accesses-accesses80-d.rrd

what we are interested with are those fields (marked in red) after the domain name separated by dash.
Ok let’s write a conf in munin.conf for this two hosts.

Go under the host definitions in your conf file and add:

[domainname.com;Totals]
update no
apacheaccess.graph_title Apache access side by side
apacheaccess.graph_order hostname=hostname.domainname.com:apache_accesses.accesses80 hostname1=hostname1.domainname.com.com:apache_accesses.accesses80

Notice the red lines, they are the same as rrd filenames red parts we saw earlier, just replace dash with dot.
Green text is to disable updates for this domain declaration since updates are already done at the host declaration in the conf file. Blue is the graph representation name, followed by title in the first line and data in second.

This way you can make all the side by side graphs for all the data munin collected in rrd files. After the changes wait for a next munin update and enjoy the graphs

No related posts.

So while doing a little coding I tried to find some tail -f class in python that will recognize when file that we tailing is been truncated. All I found was some tail -f classes that brakes on file truncate or rotate.

Eventually I came up with this:

Maybe it’s a too much overhead to check each time for file size, but you get the general idea.

So anyways here’s a usage exampe:

This will print out any new line appended to /var/log/messages file. If the file gets truncated or log rotated, class will detect it and will return to the start.

No related posts.

Occasionally you will wish to block certain ports to your DomUs from Dom0. By default you wish to allow any traffic from and to DomU but for some security considerations, I found it to be wise to block some ports to and from my clients DomUs. One such port range is for example IRC. Although it can be routed trough alternate ports, most of those automated nasty malicious scripts use default ones. It’s quite handy to block them so they ain’t able to contact home.

As said by default Xen bridge is open for all traffics towards and from DomUs. It’s up to DomU admin to firewall their own virtual machine. Unfortunately some just forget to do the proper securing of the system, and as a result you get compromised DomU contacting various botnets, and executing all kind of nasty stuff.

To prevent this we can make a firewall rules in DomU that will by default block some traffic. Since I’m using bridged network firwalling must be done on bridge. I found this great article on shorewall manuals how  to setup bridged network firewall. I installed it and tested it on 32bit Centos 5.2 should work on any system though but I didn’t tested it on any other.


Fist of all you will need to download and install latest shorewall. As stated in documentation link above: Because Xen uses normal Linux bridging, you must enable bridge support in shorewall.conf

Set

Now we have to edit our firewall zones:

It should look something like this (link to file):

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw    firewall
dom0    ipv4
domU    ipv4
net     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Next thing to do is to define network interfaces, we will be dealing with two network interfaces: virtualized eth0 and bridge.

And the file should look like this (link to file):

#ZONE   INTERFACE    BROADCAST    OPTIONS
-    xenbr0          -               dhcp
net     eth0            detect          dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

And next we must edit hosts file

And the file should look like this (link to file):

#ZONE   HOST(S)                                 OPTIONS
dom0    xenbr0:vif0.0
domU    xenbr0:vif+                            routeback
net     xenbr0:peth0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

Now let’s make some policies in our firewall:

And the file should look like this (link to file):

#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK
fw    all     ACCEPT
all     fw    ACCEPT         info
dom0    all     ACCEPT
all     dom0    ACCEPT         info
domU    all     ACCEPT
all    domU        ACCEPT
net     net     NONE
all     all     REJECT         info
#LAST LINE -- DO NOT REMOVE

This will by default allow any traffic through the bridge. You can also specify DROP policy for your Dom0 and then open necessary  the ports in rules file. Note that the fw and dom0 are the same the same but they both need to be declared in policy and rules file. So… for now this all does not block IRC traffic as we started to do, so all we need to do now is to setup the rules file.

And the file should look like this (link to file):

#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE   ORIGINAL        RATE            USER/   MARK    CONNLIMIT    TIME                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#irc
REJECT          net             domU            tcp     6660:6669
REJECT          domU            net             tcp     6660:6669
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Now this will block all incoming and outgoing traffic from port range 6660 to 6669 for all DomUs. If you wish to add an exception to one DomU you can simply edit the rules file and insert the exception above the REJECT (sample exception config):

#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE   ORIGINAL        RATE            USER/   MARK    CONNLIMIT    TIME                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#DomU exceptions
ACCEPT  net     domU:192.168.0.10    tcp     6660:6669
ACCEPT  domU:192.168.0.10    net     tcp     6660:6669

#DomU restrictions
#irc
REJECT          net             domU            tcp     6660:6669
REJECT          domU            net             tcp     6660:6669
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

This way only the DomU with ip 192.168.0.10 will have unblocked IRC ports. Although the above config should work it didn’t for me. Centos 5.2 by default comes with

so no bridge firewalling is actually done. To enable this edit your sysctl.conf file

and append:

now run:

And the bridged firewall for your DomUs should work now.

Related posts:

1. Multiple network interfaces in Xen
2. Preventing ip conflicts in xen

Synergy is a nifty tool for cross platform clipboard, keyboard and mouse sharing. It’s reasonably easy to configure synergy server for use with multiple synergy clients. Doing so will spare you some time while working on multiple computers at your desk at once. I use it at office to connect my laptop’s and office computer mouse, keyboard and clipboard and thus reducing or completely eliminating need to lean over my laptop every time I need to use it. Anyway, most of the people use it with quicksynergy wrapper allowing even easier setup, but what the synergy lack is a means of authentication and security in data transfers. I’ll try to guide you how to make a secure synergy setup on untrusted networks.

So for a starter you will need to setup a synergy config file to use it with your synergy server.
While using a quicksynergy may be easier we won’t use it since it lacks some flexibility.

I’m using my laptop named blap and my office computer named kex. Blap is located to the left of kex so I will need a conf file looking like this:

section: screens
    blap:
    kex:
end

section: links
    kex:
        left = blap
    blap:
        right = kex
end

When done configuring screens and links save that file as synergy.conf in your home directory.

Starting a server with:

will allow us to connect to our office computer using our laptop and merging screens.
Like stated earlier, synergy server have no means of authentication so any client within our network can connect to. Naturally if I’m on busy or untrusted network this isn’t very appealing thought. On top of that, all traffic between synergy server and client is unencrypted so anyone on local network can eavesdrop with tcpdump, wireshark or any other network capturing program. Anything that gets to clipboard is available to our malicious user on our local network.
So how can we implement some sort of encryption and authentication on our synergy server.

First we will add additional parameter to our synergy server startup line:

this way synergy server will start listening on loopback network interface instead on all network interfaces. This way we are only allowing access to synergy server to locally authenticated users. You can now put this command in session startup.

Since now server is not available on any outside interface we must first login and authenticate our self to the office computer. While doing so we will also open a ssh tunnel to our laptop.

So prior to executing our synergy client on laptop I will need to execute:

this will open up ssh connection to my office computer (192.168.0.100) for which I will need to login as user branko an when I do so port 24800 on 192.168.0.100 will be tunneled to my localhost’s port 24800.

Now I can simply start up my synergy client on my laptop by executing:

Now all the traffic between my laptop and office computer is encrypted and as such information traveling trough the ssh tunnel are unavailable to possible eavesdropping, and since we started the server on a loopback interface no malicious client can be connected from outside. For the ease of use you can combine the above comands in single shell script and saving it in users private bin folder.

paste the text inside

#!/bin/sh
ssh -N -f -L 24800:localhost:24800 username@synergyserver
synergyc localhost

Make it executable:

And now you can simply type synergy at your terminal or run command prompt after pressing ALT + F2

Related posts:

1. SSH port forwarding

Probably lots of you are behind some sort of very restrictive corporate firewall. Unable to access your office pc from home because of firewall policies. In normal cases this scenario is more than welcomed. No outsiders should be allowed to access internal parts of secure network! Ideally companies will setup secure VPN access thus allowing its employees to access their work computers and do some work remotely. What if you aren’t one of the lucky ones having such option? You desperately need to access your office pc?

The problem

So how can you access your office PC? One way is to setup corporate VPN access allowing secure connections to internal network. Another method is to setup a port forwarding on corporate firewall so it redirects certain ports to your office PC. But if you don’t have the means to accomplish any of this then the only way to do it is to use ssh tunnels and reverse port forwarding.

The solution

So if we can only contact remote hosts on certain ports, the solution would be to contact remote hosts via allowed port and piggyback the connection on already established link.

Something like shown on the picture above. Fortunately we can do this with ssh, all we need to do is met some requirements.

Real life example

I will assume that home PC is connected via dynamically assigned IP address. First thing you will need to make sure you have ssh server installed on your home PC and it should be accessible from Internet. If you have some NAT routers, be sure to forward port 22 to your home PC. Secondly you will need to setup a dyndns account so you can connect to your home PC regardless of IP address changes. Now the goal will be to connect to ssh server on our office PC. so the port in question will be 22 if you wish to forward another port change it in your configuration accordingly.

For the purpose of this example i will name my home PC: bhome.dyndns.com office computer name will be bwork.office.com

bwork computer uses private IP range of 192.168.0.0/24 with address 192.168.0.100

So if the firewall is preventing outside connections to our bwork computer we must initiate connection from it.

We can do this with simple ssh command:

ssh -R 2210:localhost:22 bhome.dyndns.com

So what just happened here?

We are initiating ssh connection “ssh” with reverse port forwarding option “-R” which will then open listening port “2210:” who is going to be forwarded back to localhost‘s port “:22″ and all this will happen on remote computer “bhome.dyndns.com”.

This connection represents the green line in the diagram above, and it’s a legit connection as far as corporate firewall is concerned.

So if we now open up a terminal on bhome computer, and type in:

ssh -p 2210 localhost

we will try to connect to localhost (bhome.dyndns.com) on port 2210. Since that port is setuped by remote ssh connection it will tunnel the request back via that link to the bwork.office.com computer. This is the red line on the diagram above. Looking from firewall’s perspective it’s a legit traffic, since it is responding traffic on already initiated link from bwork computer.

Real life example 2

What if your home computer is not always on-line? Or perhaps you wish to access your office computer from multiple locations? For this you will have to have some dedicated server or VPS outside the corporate firewall.

So to accomplish this we will use the same command as previously, only this time we will open up a reverse ssh tunnel to remote server or VPS.

For the purpose of this example we will name the server bserver.outside.com with IP 89.xxx.xx.4

ssh -R 2210:localhost:22 bserver.outside.com

again this will open up reverse ssh tunnel to the machine 89.xxx.xx.4 (bserver.outside.com). So when we login to the server and issue the command:

ssh -p 2210 localhost 

we will end up with bwork computer’s ssh login prompt.

Can I use this previously established reverse ssh tunnel to the server to directly connect to my office computer?

Of course, but some slight modifications are required.

By default ssh tunnels only bind to local address, and can be accessible only locally. Meaning, in the example above, you can’t just type:

ssh -p 2210 bserver.outside.com

on your home PC and be connected to your office PC

If you run:

netstat -ntl 

on bserver you will see that the port 2210 is only listening on 127.0.0.1 IP address. To get it listen on interface connected to Internet we must enable GatewayPorts option in ssh server’s configuration.

By default GatewayPorts are disabled in sshd, we can simply enable them:

nano /etc/ssh/sshd_config

then add:

GatewayPorts clientspecified

save the file and restart sshd:

/etc/init.d/ssh restart

we could have just enable GatewayPorts by typing On instead of clientspecified, that would route any ssh tunnel to network interface. This way we can control which tunnel will be accessible from outside, and on which interface.

So if we initiate reverse ssh tunnel like this:

ssh -R 89.xxx.xx.4:2210:localhost:22 bserver.outside.com

we will have bserver listening on port 2210 on network interface bound to ip 89.xxx.xx.4 and forwarding all traffic via established tunnel to bwork computer. If you omit the 89.xxx.xx.4 address from the command above server will again listen on port 2210 only on local loopback interface. If you have multiple network interfaces on server be sure to select the one you can connect to.

So now when we run:

ssh -p 2210 bserver.outside.com 

from our home PC we will initiate ssh connection on port 2210 towards server bserver.outside.com (blue line). Server will then forward that traffic to office PC (red line) via the previously established reverse ssh tunnel (gren line). Of course you will have to open up port 2210 on server’s firewall to be able to connect.

Some more fun with reverse tunnels.

But i have a printer behind that corporate firewall. How can i connect to it? Easy… remember the first example? the command ssh -R is taking 5 arguments of which 4 are mandatory

ssh -R [bind_address:]port:host:hostport

bind_address is the network address on which port will be listening, and forwarded to host (connected to network from which reverse tunnel originated) on hostport.

so if we issue the command like this on our bwork pc:

ssh -R 89.xxx.xx.4:2211:192.168.0.10:631 bserver.outside.com

we will get something like this:

so again we have previously established reverse ssh tunnel listening on port 2210 to channel the ssh connection towards office PC. Now with this new command we established the reverse ssh tunnel (yellow line) towards bserver which will listen for incoming connections on port 2211. When the home pc makes a data connection to port 2211 on bserver (brown line) it is then forwarded to office PC (black line) which is then redirected towards office printer at address 192.168.0.10 on port 631 (violet line). Remember, all this traffic is passing trough corporate firewall as legit traffic, even if the illustration perhaps shows otherwise.

Automating the task

So by now we should have covered the basics on how to bypass corporate firewall in order to get to your office computer and network equipment. Now ssh -R isn’t really practical, it consumes one terminal, and as soon as it shuts down there is no tunnel and no outside connectivity for that matter. The easiest thing to do is putting a cron job that will connect to remote server if the connection fails, office computer reboots etc.

First of all generate ssh keys, and add them to ssh-agent so that script won’t ask you for remote server’s password all the time.

Next we will add two extra parameters to our command -N and -f so that the connection goes into the background.

the command will look like:

ssh -N -f -R [bind_address:]port:host:hostport 

next we need a shell script that will be triggered by the cron. For this example we will use the Real life example 2.

#!/bin/sh
COMMAND="ssh -N -f -R 89.xxx.xx.4:2210:localhost:22 bserver.outside.com"
pgrep -f -x "$COMMAND" > /dev/null 2>&1 || $COMMAND

now edit this code so it suits your needs, and save it in your home dir as reverse_ssh_tunnel.sh
Now we need to add a crontab entry which will trigger this script every 5 minutes.

crontab -e

and add:

*/5 * * * * /bin/sh /home/username/reverse_ssh_tunnel.sh

If you are connecting to different user name on remote server you can edit your commands so they look like:
ssh -R [bind_address]:port:host:host_port username@remote_host

Related posts:

1. SSH port forwarding
2. Secure synergy setup
3. SSH basics

By default my Dell xps M1530 came with preinstalled windows vista, Media direct and all those fancy stuff, naturally it all had to go away. For some time I used it with dual boot, and installed Dell Media direct. Naturally I used anything else then Ubuntu so rarely it didn’t make sense in keeping those stuff around no more. I decided to reformat everything and dedicate every last byte of available resources on my laptop to Ubuntu. While doing so I will try to keep a track in this post of everything that I do/install on my system so it would work perfectly with all available features.

Please note that following this guide from beginning to the end will most certainly erase all your data. So if you aren’t ready to make a full clean install please skip few first steps.

Step 1. Preparing for fresh install

1.A backing up existing data.

If you already used Ubuntu on your laptop and you actually want to reinstall your system but remain all current functionality you should backup your data.

First thing you want to do is backup your existing home directory. Make sure you have enough disk space to archive your data on home partition.

To backup your home dir open gnome terminal and type in:

cd /home/
tar -czvf homedir.tar.gz *

it should take some time before archive is complete so go grab some cup of coffee, take your dog for a walk…

After it’s done copy your archive to some off site storage since your entire disk will be erased (yes no partition will remain intact).

You should also make a list of currently installed packages. List will be later used to repopulate your new system with currently used software.

To do so type in gnome terminal:

sudo dpkg --get-selections >   package.selections

Now copy that file to off site storage to since we will need it after we are done reinstalling the system.

If you have some third-party software sources enabled backup your sources list file /etc/apt/sources.list

and files in /etc/apt/sources.list.d/ folder

Note: this will not backup your internal mysql databases, websites and other software or data not managed trough packet manager or located beyond /home folder.

1.B removing all the content

Why so drastic measure? Simple, Dell uses hidden HPA partition used by Dell Media Direct button to boot up Media direct. Thing is.. if there is no media direct partition, that hidden partition and it’s boot up process will a) overwrite your current grub conf and b) rewrite your partition table in unforeseeable ways. Some like to call this button a Dell self-destruct button, since it renders your Linux installation useless if it can’t find what it’s looking for. For a better understanding of Dell’s Media Direct button functionality take a look here.

So how to render it ineffective? Simply do a low level format of you hard drive, it will rewrite HPA partition with zeros thus disabling self-destruct function from Media direct button.

Be aware this will erase all your data currently residing on laptop’s hard disk!!!

To format your drive, boot up with your installation cd, don’t select to install your Ubuntu just yet, use the option to try Ubuntu without modifying current system. After boot up open gnome terminal and write:

sudo dd if=/dev/zero of=/dev/sda

Again, it will take some time.

Step 2 – Installation

Since installation is actually pretty straightforward there is no real need to guide you trough entire process. I will suggest though that you make your own custom partitioning. By default Ubuntu will make only one partition for system and data, and one swap partition. I suggests that you make at least one more on mount point /home. That way next time you have to reinstall the system you will only format the system partition, leave home partition intact and thus preserving all your configuration and personal data.

You will have to make root partition / swap partition (usualy 2x the amount of ram installed), and /home partition. I will leave the sizes allocation to your own discretion.

Step 3 – Post installation configuration

3.A – Touch pad

If you have already upgraded your bios first thing you will probably notice is touch pad not working properly. If you are without external mouse this can be pain in the ass so let’s fix that first.

Push +F2 type in gnome-terminal and hit OK.

Now type in:

sudo pico /boot/grub/menu.lst

find:

## additional options to use with the default boot option, but not with the 

## alternatives

## e.g. defoptions=vga=791 resume=/dev/hda5

# defoptions=quiet splash

and add to defoptions line i8042.nomux=1 so it looks like this:

## additional options to use with the default boot option, but not with the 

## alternatives

## e.g. defoptions=vga=791 resume=/dev/hda5

# defoptions=quiet splash i8042.nomux=1

Save and close the file and type:

sudo update-grub

Reboot your system and your touch pad should work. Yes it works, but I found it to be a little rough to say at least.

Again open your terminal, type in:

sudo pico /etc/X11/xorg.conf

add the following:

Section "InputDevice"

Identifier "Mouse0"

Driver "synaptics"

Option "SendCoreEvents" "true"

Option "Device" "/dev/psaux"

Option "Protocol" "auto-dev"

Option "ZAxisMapping" "4 5"

Option "Emulate3Buttons" "on"

Option "SHMConfig" "on"

Option "VertEdgeScroll" "on"

Option "VertTwoFingerScroll" "on"

Option "LeftEdge" "85"

Option "RightEdge" "910"

Option "TopEdge" "85"

Option "BottomEdge" "715"

Option "FingerLow" "25"

Option "FingerHigh" "30"

Option "MaxTapTime" "180"

Option "MaxTapMove" "220"

EndSection

Save & exit, restart your GDM with

ctrl+alt+backspace

3.B – Updates

Now that you have your touch pad operational, you should probably check for updates and install them.

Go to System > Administration > Update manager

Check for updates, install them if any. You will probably need to reboot into new kernel.

3.C - installing proprietary drivers

If you wish your system to run 3D graphics, connect to wireless you should install additional hardware drivers. Go to: System > Administration > Hardware drivers

Select and install latest Nvidia 177 and Broadcom B43 wireless driver

You don’t really need to reboot after each installed driver, but it is advisable after you installed them both.

3.D – fingerprint reader

There is actually two options to get fingerprint reader to work, since Dell’s fingerprint reader isn’t an imaging reader at the time it seamed to be best to install Thinkfinger. You can also try to install fprint reader.

To install Thinkfinger you will have to add following lines to your sources.list

sudo pico /etc/apt/sources.list

add:

deb http://ppa.launchpad.net/jon-oberheide/ubuntu intrepid main
deb-src http://ppa.launchpad.net/jon-oberheide/ubuntu intrepid main

then do

sudo apt-get update

sudo apt-get install thinkfinger-tools libpam-thinkfinger

All we need to do now is test it:

sudo tf-tool --acquire

It will ask your fingerprint 3 times or more if there is failed scans. After you have done 3 successful scans, it will save your biometric readings in /home/user/.thinkfinger.bin

Verify your fingerprint will be recognized

sudo tf-tool --verify

If it’s ok it should look something like this:

Please swipe your finger (successful swipes 1/1, failed swipes: 0)... done. 

Result: Fingerprint does match.

To use it every day modify /etc/pam.d/common-auth

sudo pico /etc/pam.d/common-auth

add the following line before other auth lines:

auth    sufficient      pam_thinkfinger.so

it should look something like this:

...

auth    sufficient      pam_thinkfinger.so

# here are the per-package modules (the "Primary" block) 

auth    [success=1 default=ignore]      pam_unix.so nullok_secure 

...

After rebooting you should be able to use either your password or your fingerprint to authorize yourself.

3.E – internal microphone

It’s pretty simple actually, all you have to do is:

1. Double-click the volume control icon in the top right of the screen.
2. Select Edit / Preferences.
3. Add “Digital” and “Digital Input Source” to the list of visible tracks.
4. On the Options tab, select “Digital Mic 1″ for “Digital Input Source”.
5. On the Recording tab, set the volume for the microphone.

You can test it out with Sound recorder: Applications > Sound & Video > Sound Recorder

3.F – webcam

By default webcam is working with skype, ekiga etc. except with cheese, there is bugreport at: https://bugs.launchpad.net/ubuntu/+source/cheese/+bug/290506

It will however work with low resolutions like 352 x 288 and lower.

[edit@Jan 9, 2009]:

As of today there is an proposed update of cheese and kernel that addresses this previously mentioned bug. After fully upgrading your system cheese should work without any problems on all resolutions

[/edit]

From hardware point of view this is more or less everything you will need. Card reader will work automatically, mobile broadband with new network manager also. New Ubuntu Intrepid will even recognize multi purpose usb sticks like that Vodafones Huawei stick described in previous post.

3.G – power savings

I use laptop-mode to do my power-savings, right now I won’t get into tips and tricks of power savings for laptops running Linux, maybe in another post in near future. For now all you need to know is it’s now a great time to check out your hard disk and its current behavior of head parking and tweak it if necessary. Long story short, new laptop hard drives can park its head when not in use. By default they park it very often when on battery and less often when on AC. In general this is a good thing since if your laptop is to suffer some physical trauma while on battery if the hard disk head is parked it will minimize the possibility of data loss. On the other hand head parking ability is not unlimited, it’s usually a number of about 600 000 head parks. One may say it’s a high number, but with default settings it will give your hard disk lifespan for about 6 months.

A quick view on current status:

sudo apt-get install smartmontools

date; sudo smartctl -a /dev/sda | egrep '(Load_Cycle_Count|Temperature)'

wait about 15 min on battery then issue the command above again:

date; sudo smartctl -a /dev/sda | egrep '(Load_Cycle_Count|Temperature)'

First line, last numberr will show Load Cycle count (head parks). If number is growing to fast consider doing steps as described in this post: http://ubuntuforums.org/showthread.php?t=795327 even if your disk or laptop model is not on the list.

Step 4 – restoring backed up data

If you did make steps for backing up the data in step 1.A now is a good time to restore them.

First you will need to reinstall all those custom packages. If you had custom third-party software sources in your /etc/apt/sources.list file or /etc/atp/sources.list.d/ directory restore them now and update the lines so they match new intrepid installation.

Copy yours package.selections file from remote storage to /home folder , and issue the following command:

sudo dpkg --set-selections < /home/package.selections && apt-get dselect-upgrade

This will take some time since apt will have to re-download and install all the additional software you used. When it's done copy your home folder backed up archive to /home and unpack it with:

tar -xzvf homedir.tar.gz

Now log out and log back in. Everything should be the way you remember it.

Related posts:

1. Vodafone mobile and Ubuntu
2. Ajax problem in Firefox 3 on Ubuntu
3. Howto create rsync server