Home
Up

System settings
...Updates
...Distribution upgrade
...Services
...Syslog
...Set or reset locales
...Set / modify the system library path
...Time
...Cron
...Generating core dumps
...Disable a user account
...Default browser

Networking
...Set your or other's hostname
...MAC address
...IP address
......Configure a static IP address
......Configure DHCP
...Set a route
...Set DNS you want to use
...Network troubleshooting
...Denying access to hosts
...Finding services that use a given port

Mail/SSH/NFS
...Start/Stop Postfix or Sendmail
...SSH
......Configure SSH server and client
......X forwarding through SSH
...NFS
......NFS server
......NFS client
......Web references
...Proxies
...Certificates

Debian packages
...Dpkg
...Apt
......Sample configuration
......Commands
...Synaptic
...Aptitude
...Creating a Debian package

Udev
Sound
Applications
...EncFS
...Fail2ban
...KPilot
...Portsentry
...Rkhunter
...Sudo
...Skype
...Wine
...Interesting packages

System settings

Updates

update-manager &

Distribution upgrade

$ sudo sed -i 's/raring/saucy/' /etc/apt/sources.list
$ sudo sed -i 's/olivia/petra/' /etc/apt/sources.list
$ sudo sed -i 's/raring/saucy/' /etc/apt/sources.list.d/official-package-repositories.list
$ sudo sed -i 's/olivia/petra/' /etc/apt/sources.list.d/official-package-repositories.list

$ sudo apt-get update & sudo apt-get dist-upgrade
$ sudo apt-get upgrade
To upgrade the kernel on Linux Mint To know which distribution you have:
inxi -S

Services

  • update links in rc.d: update-rc.d <name> defaults
  • remove: update-rc.d <name> remove
  • to run a given command at startup, add it to /etc/init.d/rc.local
  • List status of all services:
    sudo service --status-all
    
To disable bluetooth:
service bluetooth stop
To disable bluetooth service on startup, add in /etc/rc.local:
rfkill block bluetooth

Syslog

To restart syslog:
kill -SIGHUP `cat /var/run/syslogd.pid`

Reset the locales

To set (or reset) the locale, do :

dpkg-reconfigure locales
To generate locales,
sudo locale-gen fr_FR.UTF-8

System Library path

  • Modify /etc/ld.so.conf, add directory
  • launch ldconfig

Time

To set the timezone:
sudo dpkg-reconfigure tzdata
To install NTP:
sudo apt-get install ntp

Cron - configuring periodic tasks

To list the contents of the crontab, do:
$ sudo crontab -l
# m h  dom mon dow   command
0 3 * * 1-5 /path/myscript.sh

Generating core dumps

By default, it seems the system won't generate core dumps:
$ ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
If you want to be able to core dump:
$ ulimit -c unlimited
This is for unlimited core dump (otherwise, set a size).

Disabling a user account

$ sudo usermod pi --expiredate
1
To disable login for an account:
passwd -l

Default browser

$ sudo update-alternatives --config x-www-browser

Networking

Hostname

Typical /etc/hosts:
127.0.0.1 localhost
yourIP your-host-name
Modify your host's name:
  • modify /etc/hostname
  • modify /etc/hosts
  • Reboot

MAC address

sudo arp -a 192.168.0.35
? (192.168.0.35) at 00:e0:4c:b3:80:bf [ether] on eth0

IP address

Configure a static IP address

Solution 1. GUI
launch network-admin (Gnome menu: Destkop -> Administration -> Networking) Solution 2. Manual
  • for a permanent modification,
    • write to /etc/network/interfaces
    • iface eth1 inet static
      address <your IP address, e.g 192.168.x.y>
      netmask <your mask, e.g 255.255.255.0>
      gateway <your gateway, e.g 192.168.x.254>
            
    • restart the network: /etc/init.d/networking restart
  • for a temporary modification,
  • set up the interface: ifconfig eth0 <your IP address>

DHCP client

Packages are:
  • dhcp-client
  • or dhcpcd5, isc-dhcp-client, isc-dhcp-common
To set up DHCP for a client:
Solution 1. GUI
Gnome Desktop -> Applications -> System -> Networking: choose your network card and set it for DHCP.
Solution 2. Manual
Edit /etc/network/interfaces :
auto eth0
iface eth0 inet dhcp 
To disable dhcp,
sudo update-rc.d -f dhcpcd disable
To remove dhcp:
  1. Remove in /etc/network/interfaces this line:
    iface eth0 inet dhcp
    
    and make sure there is
    dns-nameservers   8.8.8.8 4.2.2.1
    
  2. Disable dhcpd
    sudo update-rc.d dhcpcd disable
    
  3. Remove the packages:
    sudo apt-get remove dhcpcd
    sudo apt-get remove isc-dhcp-common
    sudo apt-get remove isc-dhcp-client
    sudo apt-get remove dhcpcd5
    

Route

Set up the route: route add default gw <your gateway> In this example, the gateway is 192.168.2.1, and the host uses eth0.
$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.2.1     0.0.0.0         UG    0      0        0 eth0
192.168.2.0     *               255.255.255.0   U     1      0        0 eth0
To delete an existing gateway:
route del default gw IPAddrGateway

Set DNS you want to use to resolve names

  • to modify the domain name: set /etc/hosts and /etc/resolv.conf (search)
  • to restart the DNS server: /etc/init.d/bind restart
  • DNS requests: dig @127.0.0.1 194.117.193.99 ANY
  • to resolve a name: host <name>

Network troubleshooting

To check a network configuration:
  • check interfaces: ifconfig should show available interfaces. Typically a loopback interface and an Ethernet interface. If an interface is down, set it back up with ifconfig <interface name> up
  • Check IPv6 is not messing around your network configuration (that is. if you don't need IPv6 !):
    • check the ipv6 module is not running: lsmod | grep ipv6
    • the interfaces should not be configured for inet6: ip a | grep inet6
    • the hosts file need not include any IPv6 addess: check /etc/hosts
  • check the route: /sbin/route -n
  • check your DNS: host <whatever name> should display the IP addresses the name resolves too. If incorrect, check in /etc/resolv.conf
  • display active Internet connections: netstat -nat
  • display open ports: netstat -tulp

Denying access

To deny an IP address put it in /etc/hosts.deny

Finding programs that open given ports

sudo netstat -ap | grep :
This command is also handy:
lsof -i :80

Network dependant services

Mail

  • MTA: postfix, sendmail...
  • MDA: procmail, dovecot, maildrop
  • MUA: mutt...

Postfix is the default MTA for Ubuntu. It does not include a IMAP server (see dovecot) Its main configuration files are located in /etc/postfix (main.cf). Use postconf for configuration.

To start, reload or stop postfix: /etc/init.d/postfix start (reload???). Be sure that sendmail is not running: /etc/init.d/sendmail stop

If you do not need emails, it is a good idea to stop the nullmailer service:
sudo service nullmailer stop
or even sudo apt-get remove nullmailer. Otherwise, the mailer sends many DNS requests.

SSH

Client and Server

To use SSH:

  • SSH server: apt-get install openssh-server
  • SSH client: apt-get install openssh-client

Concerning one of the latest OpenSSL PRNG bugs, see here.

To reconfigure SSH (and regenerate keys):

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
The logs are generally in /var/log/auth.log

X forwarding

A very common situation consists in logging on a distant host D from your local host L, using ssh. To get windows of D displayed on L is usually one of the first things you learn at school ;-) but it turns out sometimes it's more tricky. Using SSH, this is how to do it: edit /etc/ssh/ssh_config (or your own ssh config in ~/.ssh) and set

ForwardX11 no
ForwardX11Trusted yes

Then, from the prompt on L, do the following:

xhost + (or the host you want to allow)
ssh -X <address or name of D> -l <yourloginname>

That's all ! You do not need to set your display. All of this is explained here, with nice hints to help you debug relunctant situations.

NFS

This subsection explains how to share a directory with NFS.

Server Side

This is what you must do on the host sharing the directory to other hosts.

Make sure the following options are set in your kernel:

  • CONFIG_NFS_FS
  • CONFIG_NFS_V3
  • CONFIG_NFSD
  • CONFIG_NFSD
  • CONFIG_NFS_FS=m

    CONFIG_NFS_V3=y
    # CONFIG_NFS_V3_ACL is not set
    CONFIG_NFS_V4=y
    CONFIG_NFS_DIRECTIO=y
    CONFIG_NFSD=m
    CONFIG_NFSD_V3=y
    # CONFIG_NFSD_V3_ACL is not set
    CONFIG_NFSD_V4=y
    CONFIG_NFSD_TCP=y
    CONFIG_NFS_COMMON=y

Get the necessary packages:

apt-get install nfs-kernel-server

Set up file systems to export :

/etc/exportsex: /mnt/mydir 192.168.128.0/24(rw,mp=/mntpoint,async)
mp: makes sure specified mount point is mounted

Update using command :

exportfs -r

Check NFS is launched:

rpcinfo -p
You must see statd, mountd & portmap. Otherwise, relaunch the nfs server daemon. To allow acces to the system:

/etc/hosts.allow
portmap : 192.168.0.0/255.255.255.0  : allow
portmap : ALL : deny

Client side

apt-get install nfs-common portmap

try to mount the file system manually:

mount 192.168.0.2:/home /mnt/nfs

If it works, put it in /etc/fstab

Related web links

Proxies

export http_proxy=http://server:port
export ftp_proxy=ftp://server:port

Don't forget the "http://" or "ftp://"

For apt-get, if you need a proxy, add the following line to apt's configuration:

Acquire::http::Proxy "http://server:port";

Certificates

To add a new CA to the system:
openssl x509 -in blah.der -inform DER -out blah.crt -outform PEM
sudo cp blah.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
updates of cacerts keystore disabled.
done.
If that does not work, try after that:
sudo dpkg-reconfigure ca-certificates

Debian packages

Finding the appropriate package that contains a given file: go to the Debian website and use the search engine.

Synaptic

To launch the GUI: Desktop -> Administration -> Synaptic Package Manager apt-get mustn't be running.

apt

Sample configuration file

A neat /etc/apt/sources.list:
# CDrom
deb cdrom:[Debian GNU/Linux 4.0 r1 _Etch_ - Official amd64 NETINST Binary-1 2007
0820-20:16]/ etch contrib main

# Standard
deb http://ftp.fr.debian.org/debian/ stable main contrib non-free

# Uncomment this to get packages from the testing distrib
#deb http://ftp.fr.debian.org/debian/ testing main contrib non-free

# Security
deb http://security.debian.org/ stable/updates main contrib


# Uncomment if you want the apt-get source function to work
#deb-src http://security.debian.org/ etch/updates main contrib
If you want to use a web site with HTTPs in /etc/apt/sources.list, then first install:
sudo apt-get install apt-transport-https

Commands

  • update according to sources.list: apt-get update.
  • check for upgrades according to sources.list: apt-get upgrade
  • install a package: apt-get install pack*
  • install from a given distrib: apt-get install -t testing (or whatever) pack*
  • remove: apt-get remove pack* (does not remove configuration files ??? use purge for that).
  • list a package's description: apt-cache show pack*
  • show information of a given package: apt-cache policy pack*
  • clean previously downloaded packages (stored in /var/cache/apt/archive): apt-get clean
  • get the name of package for a given command: apt-cache search command

If you get the error "The following signatures couldn't be verified because the public key is not available", then you should add the corresponding GPG key:

  • get the key: gpg recv-keys <its ID>
  • add the key to apt: apt-key add key.txt

aptitude

Aptitude is said to resolve conflicts better than apt-get. My own experience is insufficient on that behalf. Any way, aptitude's commands are very similar to apt-get: aptitude install pack*, aptitude update, aptitude upgrade, aptitude dist-upgrade???

dpkg

  • list: dpkg -l pack
  • contained files: dpkg -L pack
  • install: dpkg -i pack
  • check which package a file belongs to: dpkg -S file
  • reconfiguration: dpkg-reconfigure pack
  • force a given package whose architecture doesn't match the current one (useful to install 32-bit packages on 64-bit systems) : dpkg ???force-architecture -i <package>

Creating a Debian package

  • apt-get install dh-make fakeroot
  • create directory of name of package (name-version, don't use any strange characters), in that directory put everything that should be in the package tar.gz that directory
  • in the directory: perform dh_make -e email -f ../the.tar.gz
  • this creates the debian directory
  • modify the control file, rules, etc.
  • modify the makefile of the package so it puts things in DESTDIR.
  • dpkg-buildpackage -r fakeroot
  • Read the contents of a debian package: dpkg ???contents ../hello_1.0-1_all.deb
  • See also :

Udev

Add rules in /etc/udev/rules.d. Then reload rules:
sudo udevadm control --reload-rules
If you need to restart udev: sudo service udev restart

Sound

Unmute:
pactl set-sink-mute 0 0
Mute:
pactl set-sink-mute 0 1
To set sound at 50 percent:
amixer set Master 50

Applications

This concerns Linux specific applications. Please also have a look at Unix applications or tools.

EncFS

EncFS is a nice userland encrypted 'filesystem'. Although its security might not suit all cases, it is pretty handy is several situations.

To install it,

apt-get install fuse-utils encfs

To create or open an encrypted disk:

encfs <encrypted path> <mountpoint>

To unmount an encrypted disk:

fusermount -u <mountpoint>

For more information regarding installation on Ubuntu, follow this link.

Fail2ban

sudo aptitude install fail2ban
The configuration should be written in /etc/fail2ban/jail.local (and not in jail.conf). See this link. To ignore local IP addresses, put something like:
ignoreip = 127.0.0.1/8 192.168.0.1/8
The "ban" action is what you do to ban people. In my case, I want the banned address to be added to /etc/hosts.deny:
banaction = hostsdeny
The "email" action is how to send emails if we decide to send some. If exim4 is configured, for example, use:
mta = sendmail
Then, the jail.local defines a list of action shortcuts, such as banning the address and sending an email with whois report: action_mw etc. The default action is specified in :
action = %(action_mwl)s
In that case, it means the default action is ban, send email with whois report and relevant log lines. The action can also be configured per section:
[mysection]
action = ...
If we want not to send an email (but still to ban the IP address), then use:
action = %(action_)s
Finally, each section explains where to enable banning:
[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

To get the current status of fail2ban, run
$ sudo fail2ban-client status
Status
|- Number of jail:      4
`- Jail list:           apache, php-url-fopen, ssh, apache-myadmin
To restart fail2ban,
sudo /etc/init.d/fail2ban restart 

KPilot

Synchronizes your Palm with Kpilot, and Korganizer but only if it is open. If the Palm is connected to a serial port, try /dev/ttyS0 or /dev/ttyS1.

Rkhunter

sudo aptitude install rkhunter
In /etc/default/rkhunter,
CRON_DAILY_RUN="YES"

Portsentry

Configuration is in /etc/default/portsentry. Set:
TCP_MODE="atcp"
UDP_MODE="audp"
In /etc/portsentry/portsentry.conf, in the Dropping Routes section:
BLOCK_UDP="1"
BLOCK_TCP="1"
To test, use nmap:
nmap -v -PN -p 0-2000,60000 YOURSERVER

Sudo

Ubuntu makes big use of sudo. There's a neat information page there. For instance, opening a terminal with superuser privileges is possible using the option -s: sudo -s and exit to leave that mode.

To add users to the sudoers, simply add the user to the sudo group:
addgroup user sudo

Skype

download the dynamic binary from Skype's website. It requires Qt 3.2, but works fine.

Wine

  • configuration of wine: winecfg
  • wine "c:\windows\notepad.exe"
  • winefile (a kind of explorer)

Interesting packages

  • cabextract
  • dosfstools: necessary to format FAT32 partitions on Linux
  • encfs: encrypted file system in userland. Requires fuse-utils.
  • ia32-libs and lib32asound2: for 32-bit libs on 64-bit systems
  • iceweasel: replacement for firefox
  • icedove, enigmail: replacement for thunderbird
  • linux-headers-2.6.18-6-amd64 (or similar): to get your kernel headers.
  • libc6-dev: for C headers and libraries (required to compile !). To install the headers, libraries + make and dpkg-dev, install package build-essentials.
  • libieee1284 is necessary to use the parallel port as a user (not root)
  • manpages-dev: necessary if you want manpages for things such as fopen !!!
  • mp3info : information on MP3 files, such as genre, artists etc.
  • openssh-server: for a SSH server
  • rsh-redone-server: rlogind
  • ruby-dev: for ruby gems
  • screenlets: the screenlet manager
  • sharutils: contains uudecode
  • texlive-lang-french and texlive-latex-extra
  • xtightvncviewer: tight VNC client