System settings
Updates
update-manager &
Distribution upgrade
$ sudo sed -i 's/raring/saucy/' /etc/apt/sources.list $ sudo sed -i 's/olivia/petra/' /etc/apt/sources.list $ sudo sed -i 's/raring/saucy/' /etc/apt/sources.list.d/official-package-repositories.list $ sudo sed -i 's/olivia/petra/' /etc/apt/sources.list.d/official-package-repositories.list $ sudo apt-get update & sudo apt-get dist-upgrade $ sudo apt-get upgradeTo upgrade the kernel on Linux Mint To know which distribution you have:
inxi -S
Services
- update links in rc.d: update-rc.d <name> defaults
- remove: update-rc.d <name> remove
- to run a given command at startup, add it to /etc/init.d/rc.local
- List status of all services:
sudo service --status-all
service bluetooth stopTo disable bluetooth service on startup, add in /etc/rc.local:
rfkill block bluetooth
Syslog
To restart syslog:kill -SIGHUP `cat /var/run/syslogd.pid`
Reset the locales
To set (or reset) the locale, do :
dpkg-reconfigure localesTo generate locales,
sudo locale-gen fr_FR.UTF-8
System Library path
- Modify /etc/ld.so.conf, add directory
- launch ldconfig
Time
To set the timezone:sudo dpkg-reconfigure tzdataTo install NTP:
sudo apt-get install ntp
Cron - configuring periodic tasks
To list the contents of the crontab, do:$ sudo crontab -l # m h dom mon dow command 0 3 * * 1-5 /path/myscript.sh
Generating core dumps
By default, it seems the system won't generate core dumps:$ ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0If you want to be able to core dump:
$ ulimit -c unlimitedThis is for unlimited core dump (otherwise, set a size).
Disabling a user account
$ sudo usermod pi --expiredate 1To disable login for an account:
passwd -l
Default browser
$ sudo update-alternatives --config x-www-browser
Networking
Hostname
Typical /etc/hosts:127.0.0.1 localhost yourIP your-host-nameModify your host's name:
- modify /etc/hostname
- modify /etc/hosts
- Reboot
MAC address
sudo arp -a 192.168.0.35 ? (192.168.0.35) at 00:e0:4c:b3:80:bf [ether] on eth0
IP address
Configure a static IP address
Solution 1. GUIlaunch network-admin (Gnome menu: Destkop -> Administration -> Networking) Solution 2. Manual
- for a permanent modification,
- write to /etc/network/interfaces
iface eth1 inet static address <your IP address, e.g 192.168.x.y> netmask <your mask, e.g 255.255.255.0> gateway <your gateway, e.g 192.168.x.254>
- restart the network: /etc/init.d/networking restart
DHCP client
Packages are:- dhcp-client
- or dhcpcd5, isc-dhcp-client, isc-dhcp-common
Solution 1. GUI
Gnome Desktop -> Applications -> System -> Networking: choose your network card and set it for DHCP.
Solution 2. Manual
Edit /etc/network/interfaces :
auto eth0 iface eth0 inet dhcpTo disable dhcp,
sudo update-rc.d -f dhcpcd disableTo remove dhcp:
- Remove in /etc/network/interfaces this line:
iface eth0 inet dhcp
and make sure there isdns-nameservers 8.8.8.8 4.2.2.1
- Disable dhcpd
sudo update-rc.d dhcpcd disable
- Remove the packages:
sudo apt-get remove dhcpcd sudo apt-get remove isc-dhcp-common sudo apt-get remove isc-dhcp-client sudo apt-get remove dhcpcd5
Route
Set up the route: route add default gw <your gateway> In this example, the gateway is 192.168.2.1, and the host uses eth0.$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0 192.168.2.0 * 255.255.255.0 U 1 0 0 eth0To delete an existing gateway:
route del default gw IPAddrGateway
Set DNS you want to use to resolve names
- to modify the domain name: set /etc/hosts and /etc/resolv.conf (search)
- to restart the DNS server: /etc/init.d/bind restart
- DNS requests: dig @127.0.0.1 194.117.193.99 ANY
- to resolve a name: host <name>
Network troubleshooting
To check a network configuration:- check interfaces: ifconfig should show available interfaces. Typically a loopback interface and an Ethernet interface. If an interface is down, set it back up with ifconfig <interface name> up
- Check IPv6 is not messing around your network configuration (that is. if you don't need IPv6 !):
- check the ipv6 module is not running: lsmod | grep ipv6
- the interfaces should not be configured for inet6: ip a | grep inet6
- the hosts file need not include any IPv6 addess: check /etc/hosts
Denying access
To deny an IP address put it in /etc/hosts.denyFinding programs that open given ports
sudo netstat -ap | grep :This command is also handy:
lsof -i :80
Network dependant services
- MTA: postfix, sendmail...
- MDA: procmail, dovecot, maildrop
- MUA: mutt...
Postfix is the default MTA for Ubuntu. It does not include a IMAP server (see dovecot) Its main configuration files are located in /etc/postfix (main.cf). Use postconf for configuration.
To start, reload or stop postfix: /etc/init.d/postfix start (reload???). Be sure that sendmail is not running: /etc/init.d/sendmail stop
If you do not need emails, it is a good idea to stop the nullmailer service:sudo service nullmailer stopor even sudo apt-get remove nullmailer. Otherwise, the mailer sends many DNS requests.
SSH
Client and Server
To use SSH:
- SSH server: apt-get install openssh-server
- SSH client: apt-get install openssh-client
Concerning one of the latest OpenSSL PRNG bugs, see here.
To reconfigure SSH (and regenerate keys):
rm /etc/ssh/ssh_host_* dpkg-reconfigure openssh-serverThe logs are generally in /var/log/auth.log
X forwarding
A very common situation consists in logging on a distant host D from your local host L, using ssh. To get windows of D displayed on L is usually one of the first things you learn at school but it turns out sometimes it's more tricky. Using SSH, this is how to do it: edit /etc/ssh/ssh_config (or your own ssh config in ~/.ssh) and set
ForwardX11 no ForwardX11Trusted yes
Then, from the prompt on L, do the following:
xhost + (or the host you want to allow) ssh -X <address or name of D> -l <yourloginname>
That's all ! You do not need to set your display. All of this is explained here, with nice hints to help you debug relunctant situations.
NFS
This subsection explains how to share a directory with NFS.
Server Side
Make sure the following options are set in your kernel:
- CONFIG_NFS_FS
- CONFIG_NFS_V3
- CONFIG_NFSD
- CONFIG_NFSD
- CONFIG_NFS_FS=m
CONFIG_NFS_V3=y # CONFIG_NFS_V3_ACL is not set CONFIG_NFS_V4=y CONFIG_NFS_DIRECTIO=y CONFIG_NFSD=m CONFIG_NFSD_V3=y # CONFIG_NFSD_V3_ACL is not set CONFIG_NFSD_V4=y CONFIG_NFSD_TCP=y CONFIG_NFS_COMMON=y
Get the necessary packages:
apt-get install nfs-kernel-server
Set up file systems to export :
/etc/exportsex: /mnt/mydir 192.168.128.0/24(rw,mp=/mntpoint,async)mp: makes sure specified mount point is mounted
Update using command :
exportfs -r
Check NFS is launched:
rpcinfo -pYou must see statd, mountd & portmap. Otherwise, relaunch the nfs server daemon. To allow acces to the system:
/etc/hosts.allow portmap : 192.168.0.0/255.255.255.0 : allow portmap : ALL : deny
Client side
apt-get install nfs-common portmap
try to mount the file system manually:
mount 192.168.0.2:/home /mnt/nfs
If it works, put it in /etc/fstab
Related web links
Proxies
export http_proxy=http://server:port export ftp_proxy=ftp://server:port
Don't forget the "http://" or "ftp://"
For apt-get, if you need a proxy, add the following line to apt's configuration:
Acquire::http::Proxy "http://server:port";
Certificates
To add a new CA to the system:openssl x509 -in blah.der -inform DER -out blah.crt -outform PEM sudo cp blah.pem /usr/local/share/ca-certificates/ sudo update-ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... updates of cacerts keystore disabled. done.If that does not work, try after that:
sudo dpkg-reconfigure ca-certificates
Debian packages
Finding the appropriate package that contains a given file: go to the Debian website and use the search engine.Synaptic
To launch the GUI: Desktop -> Administration -> Synaptic Package Manager apt-get mustn't be running.
apt
Sample configuration file
A neat /etc/apt/sources.list:# CDrom deb cdrom:[Debian GNU/Linux 4.0 r1 _Etch_ - Official amd64 NETINST Binary-1 2007 0820-20:16]/ etch contrib main # Standard deb http://ftp.fr.debian.org/debian/ stable main contrib non-free # Uncomment this to get packages from the testing distrib #deb http://ftp.fr.debian.org/debian/ testing main contrib non-free # Security deb http://security.debian.org/ stable/updates main contrib # Uncomment if you want the apt-get source function to work #deb-src http://security.debian.org/ etch/updates main contribIf you want to use a web site with HTTPs in /etc/apt/sources.list, then first install:
sudo apt-get install apt-transport-https
Commands
- update according to sources.list: apt-get update.
- check for upgrades according to sources.list: apt-get upgrade
- install a package: apt-get install pack*
- install from a given distrib: apt-get install -t testing (or whatever) pack*
- remove: apt-get remove pack* (does not remove configuration files ??? use purge for that).
- list a package's description: apt-cache show pack*
- show information of a given package: apt-cache policy pack*
- clean previously downloaded packages (stored in /var/cache/apt/archive): apt-get clean
- get the name of package for a given command: apt-cache search command
If you get the error "The following signatures couldn't be verified because the public key is not available", then you should add the corresponding GPG key:
- get the key: gpg
recv-keys <its ID> - add the key to apt: apt-key add key.txt
aptitude
Aptitude is said to resolve conflicts better than apt-get. My own experience is insufficient on that behalf. Any way, aptitude's commands are very similar to apt-get: aptitude install pack*, aptitude update, aptitude upgrade, aptitude dist-upgrade???
dpkg
- list: dpkg -l pack
- contained files: dpkg -L pack
- install: dpkg -i pack
- check which package a file belongs to: dpkg -S file
- reconfiguration: dpkg-reconfigure pack
- force a given package whose architecture doesn't match the current one (useful to install 32-bit packages on 64-bit systems) : dpkg ???force-architecture -i <package>
Creating a Debian package
- apt-get install dh-make fakeroot
- create directory of name of package (name-version, don't use any strange characters), in that directory put everything that should be in the package tar.gz that directory
- in the directory: perform dh_make -e email -f ../the.tar.gz
- this creates the debian directory
- modify the control file, rules, etc.
- modify the makefile of the package so it puts things in DESTDIR.
- dpkg-buildpackage -r fakeroot
- Read the contents of a debian package: dpkg ???contents ../hello_1.0-1_all.deb
- See also :
Udev
Add rules in /etc/udev/rules.d. Then reload rules:sudo udevadm control --reload-rulesIf you need to restart udev: sudo service udev restart
Sound
Unmute:pactl set-sink-mute 0 0Mute:
pactl set-sink-mute 0 1To set sound at 50 percent:
amixer set Master 50
Applications
This concerns Linux specific applications. Please also have a look at Unix applications or tools.EncFS
EncFS is a nice userland encrypted 'filesystem'. Although its security might not suit all cases, it is pretty handy is several situations.
To install it,
apt-get install fuse-utils encfs
To create or open an encrypted disk:
encfs <encrypted path> <mountpoint>
To unmount an encrypted disk:
fusermount -u <mountpoint>
For more information regarding installation on Ubuntu, follow this link.
Fail2ban
sudo aptitude install fail2banThe configuration should be written in /etc/fail2ban/jail.local (and not in jail.conf). See this link. To ignore local IP addresses, put something like:
ignoreip = 127.0.0.1/8 192.168.0.1/8The "ban" action is what you do to ban people. In my case, I want the banned address to be added to /etc/hosts.deny:
banaction = hostsdenyThe "email" action is how to send emails if we decide to send some. If exim4 is configured, for example, use:
mta = sendmailThen, the jail.local defines a list of action shortcuts, such as banning the address and sending an email with whois report: action_mw etc. The default action is specified in :
action = %(action_mwl)sIn that case, it means the default action is ban, send email with whois report and relevant log lines. The action can also be configured per section:
[mysection] action = ...If we want not to send an email (but still to ban the IP address), then use:
action = %(action_)sFinally, each section explains where to enable banning:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6To get the current status of fail2ban, run
$ sudo fail2ban-client status Status |- Number of jail: 4 `- Jail list: apache, php-url-fopen, ssh, apache-myadminTo restart fail2ban,
sudo /etc/init.d/fail2ban restart
KPilot
Synchronizes your Palm with Kpilot, and Korganizer but only if it is open. If the Palm is connected to a serial port, try /dev/ttyS0 or /dev/ttyS1.
Rkhunter
sudo aptitude install rkhunterIn /etc/default/rkhunter,
CRON_DAILY_RUN="YES"
Portsentry
Configuration is in /etc/default/portsentry. Set:TCP_MODE="atcp" UDP_MODE="audp"In /etc/portsentry/portsentry.conf, in the Dropping Routes section:
BLOCK_UDP="1" BLOCK_TCP="1"To test, use nmap:
nmap -v -PN -p 0-2000,60000 YOURSERVER
Sudo
Ubuntu makes big use of sudo. There's a neat information page there. For instance, opening a terminal with superuser privileges is possible using the option -s: sudo -s and exit to leave that mode.
To add users to the sudoers, simply add the user to the sudo group:addgroup user sudo
Skype
download the dynamic binary from Skype's website. It requires Qt 3.2, but works fine.
Wine
- configuration of wine: winecfg
- wine "c:\windows\notepad.exe"
- winefile (a kind of explorer)
Interesting packages
- cabextract
- dosfstools: necessary to format FAT32 partitions on Linux
- encfs: encrypted file system in userland. Requires fuse-utils.
- ia32-libs and lib32asound2: for 32-bit libs on 64-bit systems
- iceweasel: replacement for firefox
- icedove, enigmail: replacement for thunderbird
- linux-headers-2.6.18-6-amd64 (or similar): to get your kernel headers.
- libc6-dev: for C headers and libraries (required to compile !). To install the headers, libraries + make and dpkg-dev, install package build-essentials.
- libieee1284 is necessary to use the parallel port as a user (not root)
- manpages-dev: necessary if you want manpages for things such as fopen !!!
- mp3info : information on MP3 files, such as genre, artists etc.
- openssh-server: for a SSH server
- rsh-redone-server: rlogind
- ruby-dev: for ruby gems
- screenlets: the screenlet manager
- sharutils: contains uudecode
- texlive-lang-french and texlive-latex-extra
- xtightvncviewer: tight VNC client