Rss

  • linkedin

Archives for : Ubuntu

Howto: build Naemon from source for Ubuntu 12.04

It’s quite straight forward to build Naemon from source with Ubuntu, all required softwares can be found as packages from the standard repository

Install dependencies

Get latest version of Naemon

Update source (meta package may not be updated)

Build Naemon

Create DEB

Install Naemon

Restart Apache

Change path to Nagios-plugins for Naemon

Find row: $USER1$=/usr/lib/naemon/plugins
Change to: $USER1$=/usr/lib/nagios/plugins

Reload config for Naemon

Done!
Browse to server/naemon and use admin/admin

How to compile Reaver under Ubuntu 12.04 (and aircrack-ng)

This is a quick how-to compile and install Reaver under Ubuntu 12.04

Steps:

  1. download source
  2. install required libraries and tools
  3. download and build aircrack-ng
  4. compile and install
  5. run =)

Download Source

First you need to download the latest source from http://code.google.com/p/reaver-wps/

wget http://reaver-wps.googlecode.com/files/reaver-1.4.tar.gz

Extract the tarball

tar -xzvf reaver-1.4.tar.gz

Install Required Libraries and Tools

Before you can build Reaver you need pcaplib and later on aircrack-ng (iw) to run Reaver

sudo apt-get install libpcap-dev sqlite3 libsqlite3-dev libpcap0.8-dev

Compile and Install

Build Reaver

cd reaver-1.4
cd src
./configure
make

Install Reaver

sudo make install

Download aircrack-ng source and build it

Since Ubuntu 12.04 aircrack-ng is not longer in the repository but you can still download it from source and compile it. It’s only one little tweak that need to be done since it will not build without the following errors.

johan@ubuntu-lab:~/aircrack-ng-1.1$ make
make -C src all
make[1]: Entering directory /home/johan/aircrack-ng-1.1/src'
make -C osdep
make[2]: Entering directory
/home/johan/aircrack-ng-1.1/src/osdep’
Building for Linux
make[3]: Entering directory /home/johan/aircrack-ng-1.1/src/osdep'
gcc -g -W -Wall -Werror -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=0  -fPIC -I..    -c -o osdep.o osdep.c
gcc -g -W -Wall -Werror -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=0  -fPIC -I..    -c -o network.o network.c
gcc -g -W -Wall -Werror -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=0  -fPIC -I..    -c -o linux.o linux.c
linux.c: In function ‘is_ndiswrapper’:
linux.c:165:17: error: variable ‘unused’ set but not used [-Werror=unused-but-set-variable]
linux.c: In function ‘linux_set_rate’:
linux.c:334:22: error: variable ‘unused’ set but not used [-Werror=unused-but-set-variable]
linux.c: In function ‘linux_set_channel’:
linux.c:807:22: error: variable ‘unused’ set but not used [-Werror=unused-but-set-variable]
linux.c: In function ‘linux_set_freq’:
linux.c:896:22: error: variable ‘unused’ set but not used [-Werror=unused-but-set-variable]
linux.c: In function ‘set_monitor’:
linux.c:1022:22: error: variable ‘unused’ set but not used [-Werror=unused-but-set-variable]
linux.c: In function ‘do_linux_open’:
linux.c:1366:12: error: variable ‘unused_str’ set but not used [-Werror=unused-but-set-variable]
linux.c:1352:15: error: variable ‘unused’ set but not used [-Werror=unused-but-set-variable]
linux.c: In function ‘get_battery_state’:
linux.c:1982:35: error: variable ‘current’ set but not used [-Werror=unused-but-set-variable]
cc1: all warnings being treated as errors
make[3]: *** [linux.o] Error 1
make[3]: Leaving directory
/home/johan/aircrack-ng-1.1/src/osdep’
make[2]: *** [all] Error 2
make[2]: Leaving directory /home/johan/aircrack-ng-1.1/src/osdep'
make[1]: *** [osd] Error 2
make[1]: Leaving directory
/home/johan/aircrack-ng-1.1/src’
make: *** [all] Error 2

This is how to build aircrack-ng under Ubuntu 12.04

sudo apt-get install build-essential
sudo apt-get install libssl-dev
wget http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz
tar -zxvf aircrack-ng-1.1.tar.gz
cd aircrack-ng-1.1

Edit common.mak with vi as example

vi common.mak

Find the following row

CFLAGS          ?= -g -W -Wall -Werror -O3

Remove “-Werror” so that it looks like this

CFLAGS          ?= -g -W -Wall -O3

Save the file, build and install

make
sudo make install

Run

Reaver is now installed and ready to use. You will first need to put the wifi adapter info monitor mode before you can start and the most easiest way is to use airmon-ng (part of aircrack-ng) that you just installed.

First put your adapter info monitor mode, in my case it’s wlan0

sudo airmon-ng start wlan0

Run Reaver

sudo reaver -i mon0 -b 00:00:00:00:00:00

Replace MAC 00:00:00:00:00:00 with the actual AP:s MAC address to crack

– Johan Ryberg

Guide: How to make Gobi 2000 Wirless modem work under Ubuntu 12.04

Install 3G-modemet Sierra Wireless, Inc. Gobi 2000 Wireless Modem

This is a how-to install the 3G modem “Sierra Wireless, Inc. Gobi 2000 Wireless Modem” under Ubuntu 12.04 LTS (Precise Pangolin) with basic support for GPS

This guide should work with the following models:

  • Fujitsu CELSIUS H700
  • Fujitsu LIFEBOOK A530 / AH530
  • Fujitsu LIFEBOOK A550 / AH550 (Intel Gfx)
  • Fujitsu LIFEBOOK AH550 (NVidia Gfx)
  • Fujitsu LIFEBOOK E780 (Intel Gfx)
  • Fujitsu LIFEBOOK E780 (NVidia Gfx)
  • Fujitsu LIFEBOOK P3110
  • Fujitsu LIFEBOOK P770
  • Fujitsu LIFEBOOK P8110
  • Fujitsu LIFEBOOK PH530
  • Fujitsu LIFEBOOK S710
  • Fujitsu LIFEBOOK S760
  • Fujitsu LIFEBOOK T4410/ T4310
  • Fujitsu LIFEBOOK T580
  • Fujitsu LIFEBOOK T730
  • Fujitsu LIFEBOOK T900
  • Fujitsu LIFEBOOK TH700
  • Fujitsu LIFEBOOK UH900
  • and other models from HP, Lenovo and others with Sierra Wireless, Inc. Gobi 2000 Wireless Modem

First, control so that you really have the integrated modem in you computer with lsusb

johan@ubuntu-lab:~$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 003: ID 1199:9000 Sierra Wireless, Inc. Gobi 2000 Wireless Modem (QDL mode)
Bus 001 Device 004: ID 04f2:b186 Chicony Electronics Co., Ltd
Bus 002 Device 003: ID 08ff:2550 AuthenTec, Inc.
Bus 002 Device 004: ID 1b96:0008 N-Trig
Bus 002 Device 005: ID 1690:0741 Askey Computer Corp. [hex]
Bus 001 Device 005: ID 1234:ffff Unknown

Install the wrapper for Gobi that is needed to load the 3G modem firmware and wine that you need to extract the firmware from the driver for the Microsoft Windows XP/Windows 7 installation packet.

johan@ubuntu-lab:~$ sudo apt-get install gobi-loader wine

Download the drivers from http://support.ts.fujitsu.com/Download/Download.asp?SoftwareGUID=BE060271-9410-4E34-B732-D7D016F9EC27&Filename=FTS_SierraWirelessGobi2000HSUSBMobileBroadband_11180_1053221.zip

Start a terminal and navigate to the path where you saved the download. In my case it’s in ~/Downloads.

johan@ubuntu-lab:~$ cd Downloads/

Extract the archive with command unzip FTS_SierraWirelessGobi2000HSUSBMobileBroadband_11180_1053221.zip

johan@ubuntu-lab:~/Downloads$ unzip FTS_SierraWirelessGobi2000HSUSBMobileBroadband_11180_1053221.zip

Navigate to the folder that just been created

johan@ubuntu-lab:~/Downloads$ cd 72-VR322-15_1.1.180

Use wine and the command msiexec to extract the drivers from the MSI-file. The files will be saved in the “virtual” c: for wine that’s really saved under ~/.wine/drive_c

johan@ubuntu-lab:~/Downloads/72-VR322-15_1.1.180$ wine msiexec /a GobiInstaller.msi /qb TARGETDIR="c:temp"

Create the folder /lib/firmware/gobi and copy the driver to that path

johan@ubuntu-lab:~/Downloads/72-VR322-15_1.1.180$ sudo mkdir /lib/firmware/gobi
johan@ubuntu-lab:~/Downloads/72-VR322-15_1.1.180$ sudo cp ~/.wine/drive_c/temp/Images/Sierra/UMTS/* /lib/firmware/gobi/
johan@ubuntu-lab:~/Downloads/72-VR322-15_1.1.180$ sudo cp ~/.wine/drive_c/temp/Images/Sierra/0/UQCN.mbn /lib/firmware/gobi/

It’s now time to restart the computer to make the 3G modem to load it’s firmware and after that it will be visible in network-manager for example.

GPS

Some models of Gobi 2000 has internal GPS and it’s also possible to use but in my case the 3G modem is disappearing every time I communicate with the GPS and I have not solved that problem yet. If you have any tips that may solve this problem I would be happy.

Install any GPS client of your choice. I have chosen gpsd

johan@ubuntu-lab:~$ sudo apt-get install gpsd gpsd-clients

Configure gpsd

johan@ubuntu-lab:~$ sudo /lib/udev/gpsd.hotplug add /dev/ttyUSB2
johan@ubuntu-lab:~$ sudo dpkg-reconfigure gpsd

Enter /dev/ttyUSB2 as the path to the GPS

Start gpsd

johan@ubuntu-lab:~$ sudo service gpsd start

The GPS wont work until you tell it to do so and you need to manually start it with the following command. Please notice that the 3G modem will stop working as fast as you start to communicate with /dev/ttyUSB2

johan@ubuntu-lab:~$ sudo su -
root@ubuntu-lab:~$ echo "$GPS_START" > /dev/ttyUSB2

To stop the GPS enter the following command

johan@ubuntu-lab:~$ sudo su -
root@ubuntu-lab:~$ echo "$GPS_STOP" > /dev/ttyUSB2

– Johan Ryberg

Configure SSH for high security

There are some steps to do after SSH is installed on a system and there is a old saying that says “A chain is only as strong as its weakest link” and if you are using a weak password for your root account (or any other account) then you are extremely vulnerable. It does not matter if the communication is secure when you are easily brute forced. All steps is used on a Ubuntu 11.10 but should be the same on OpenBSD, Debian, Linux Mint or any other Linux distribution with none or very few modifications.

We are going to do the following steps

  • Create certificate
  • Set correct credentials to .ssh folder and files
  • Shut down the possibility to log in with password
  • Prevent root to log in via SSH
  • Remove less secure encryption methods
  • Enable visual identification of the server fingerprint
  • Optional: Change SSH port (does really not not increase security)

Create certificate
We are going to use a RSA-key with a key length of 4096 bits. Open a terminal and enter the following “‘ssh-keygen -t rsa -b 4096″.  1024 bits key should be enough but better to be safe than sorry.

johan@johan-laptop:~$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.

Then you will be asked where to store the key. If you already got keys in id_dsa then you should enter another file name or your existing keys will be overwritten. If you are satisfied with the suggestion simply press enter.

Enter file in which to save the key (/home/johan/.ssh/id_rsa):

It’s now time to enter a password. Use a strong password with big and small letters, numbers and symbols. The password should also be unique and stored on a secure place like in a encrypted container like Keepass.

Enter passphrase (empty for no passphrase): 2sWf3+@/’?B>.%DpBU”r
Enter same passphrase again: 2sWf3+@/’?B>.%DpBU”r
Your identification has been saved in /home/johan/.ssh/id_rsa.

Your public key has been saved in /home/johan/.ssh/id_rsa.pub.
The key fingerprint is:
31:b0:be:0b:5b:7c:f1:79:65:e4:72:42:18:08:c4:8d
The key’s randomart image is:
+–[ RSA 4096]—-+
|     o++ ..o.    |
|      Eoo ..     |
|      . o   . .  |
|     .   o o +   |
|      . S   +    |
|     . o o o     |
|    . + o .      |
|     + o .       |
|    . .          |
+—————–+

Enable the public key for authentication
The public key should be stored in ~/.ssh/authorized_keys and there can be more then one key for a single user. Just make a new row for each public key. If you key should be installed on the same system from where you just created the private key simply copy id_rsa.pub to authorized_keys

johan@johan-laptop:~$ cd ~/.ssh
johan@johan-laptop:~/.ssh$ cp id_rsa.pub authorized_keys

If you want to use the public key on another machine you could simply copy the public key using scp (secure copy). Please notice that you will replace existing authorized_keys if you already has one in place. To copy simply write the following command.

johan@johan-laptop:~/.ssh$ scp -p ~/.ssh/authorized_keys 192.168.0.1:.ssh/
johan@192.168.0.1’s password:
authorized_keys 100% 1839 1.2MB/s 00:00

Set correct credentials to .ssh folder and files

Make sure that your working folder is your home folder, replace “johan” with your username.

johan@johan-laptop:~/.ssh$ cd ~
johan@johan-laptop:~/.ssh$ sudo chown -R johan:johan .ssh
johan@johan-laptop:~/.ssh$ sudo chmod -R 600 .ssh
johan@johan-laptop:~/.ssh$ sudo chmod +x .ssh

Do a test log in to test the public key

johan@johan-laptop:~/.ssh$ ssh johan@localhost
Enter passphrase for key ‘/home/johan/.ssh/id_rsa’:

After you entered the private key password you should have access to your machine, if not you will have to look for errors in the logs but I will not cover this in this guide.

Configure sshd
The next step is to modify sshd. All settings we will change is in the file /etc/ssh/sshd_config. Start to make a backup of sshd_config just in case.

johan@johan-laptop:/$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup

Password:

Use desired editor to edit sshd_config. I prefer vi but I will use nano in this example

johan@johan-laptop:/$ sudo nano /etc/ssh/sshd_config

The following lines is going to be added or altered:

  • PermitRootLogin yes
  • #PasswordAuthentication yes
  • Ciphers

PermitRootLogin no

root should never be used since it much more secure to use a regular user instead and then you need to perform a administrative task use the command sudo instead which gives you temporary administrative rights
We are also going to prevent the possibility to log in with password (you will be forced to use the private key). Find the rows which looks like  this:

PermitRootLogin yes

Modify it to look like this

PermitRootLogin no

Find the row which look like this

#PasswordAuthentication yes

Modify it to look like this

PasswordAuthentication no

At the end Cipers is going to be added and it may not apply never installations but the default ciphers has not always been the best choices and sshd should be forced to only use the strongest ones.

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc

More information about why to alter the ciphers can be found here:
[1] http://openssh.org/txt/cbc.adv
[2] http://www.cpni.gov.uk/Docs/Vulnerab…visory_SSH.txt
[3] http://www.cs.washington.edu/homes/y…pers/TISSEC04/

Verify these entries:

  • Protocol 2
  • UsePrivilegeSeparation yes
  • StrictModes yes
  • RSAAuthentication yes
  • PubkeyAuthentication yes

Save and exit

Restart to active the settings.

johan@johan-laptop:~/.ssh$ sudo service ssh restart
Password:
ssh start/running, process 2212

Enable visual identification of the servers fingerprint (Visual Host Key)
It’s not easy to verify and remember the fingerprint of a host since it’s a long hexadecimal string that may look like this one: ” 31:b0:be:0b:5b:7c:f1:79:65:e4:72:42:18:08:c4:8d” , some one may have altered the DNS record so that you in fact are trying to authenticate to a rouge server and to remember that string is near impossible. . It’s more easy to remember a visual fingerprint but it’s still not bulletproof. It’s absolute best to verify the exact string every time and that is done by most SSH clients and for example openssh stored them in ~/.ssh/known_hosts and gives you a warning if it has changed.

Do the following to enable visual host key

Edit eider /etc/ssh/ssh_config witch effects all users on the system or ~/.ssh/config to enable it for a single user.

Add the following lines (“Host * is already at top of ssh_config)

Host *
VisualHostKey yes

Test and verify
It’s now time to test and verify. You should not be able to log in without your private key and password authentication should been disabled. You should also see your visual finger print when you tries to log in.

Your SSH should be more safe now but remember that SSH probably was the most secure software from the beginning with default settings and MySQL, Apache or any other system also has to be secured.

–  Johan Ryberg

mysqlbackup-ng i ny tappning

MySQLBackup-NG är ett trevligt litet skript som tar backup på MySQL-databaser, komprimerar filen och sedan skickar iväg den med scp till önskad plats.

Jag har nästan skrivit om det totalt sedan version 1.1 som tidigare fanns på Google Code vilket betyder att 2.0 är 100% POSIX-kompatibelt och fungerar på både OpenBSD och under Linux som t.ex. Ubuntu Server 10.04.

Ni hittar MySQLBackup-NG hos github: https://github.com/jryberg/MySQLbackup-ng

–  Johan Ryberg

Använd SSH tillsammans med krypterad hemkatalog i Ubuntu

Eftersom man normalt inte tillåter lösenord via SSH utan kräver certifikat så finns det en begränsning i standardinstallationen i Ubuntu som gör det omöjligt att logga in om man har en krypterad hemkatalog. Detta är på grund av att authorized_keys ligger under /home/<användarnamn>/.ssh/ vilket ligger den krypterade hemkatalogen och är därför inte åtkomligt innan man har loggat in. Problemet är just att man inte är inloggad och därför är inte hemkatalogen dekrypterad när sshd behöver läsa filens innehåll för att avgöra om din privata nyckel tillhör den publika nyckeln.

Om man har detta problem borde likande rader i /var/log/auth.log finnas för varje misslyckat inloggningsförsök:

Jan 11 20:55:25 server su[28291]: pam_sm_authenticate: Called
Jan 11 20:55:25 server su[28291]: pam_sm_authenticate: username = [<användarnamn>]
Jan 11 20:55:25 server su[28292]: Passphrase file wrapped
Jan 11 20:55:27 server su[28292]: Error attempting to add filename encryption key to user session keyring; rc = [1]

Lösningen är som tur är väldigt enkel

Skapa först en ny katalog som du döper till /etc/ssh-public-keys/<användarnamn>/

sudo mkdir /etc/ssh-public-keys/johan

Flytta authorized_keys till /etc/ssh-public-keys/<användarnamn>/

sudo mv ~/.ssh/authorized_keys /etc/ssh-public-keys/johan/

Redigera /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Ändra AuthorizedKeysFile till

AuthorizedKeysFile /etc/ssh-public-keys/%u/authorized_keys

Starta sedan om sshd för att förändringen skall ta

sudo service ssh restart

–  Johan Ryberg

Sätt rätt tidsstämpel på dina foton i Ubuntu 10.10

Jag råkade ut för ett intressant problem efter att jag säkerhetskopierat mina kort på min Android-telefon. Tidsstämpeln på samtliga filer sattes till tidpunkten då jag kopierade tillbaka filerna vilket gjorde att alla filer hamnade i total oordning när man tittade på dem via Galleri som är bildvisningsprogrammet som kommer tillsammans med HTC-telefoner.

Lösningen heter exif-touch vilket är ett perlscript som läser tilläggsinformationen som finns på korten och sätter rätt datum på dem.

Först måste exif-touch hämtas hem vilket görs från denna sida: http://chris.improbable.org/2007/01/8/exif-touch/
Direktlänk till scriptet: https://github.com/acdha/unix_tools/blob/master/bin/exif-touch

Spara scriptet lokalt på datorn i lämplig katalog, i mitt fall rätt i min hemkatalog /home/johan/exif-touch

Två perlbibliotek för hantering av exif-data måste också hämtas hem vilket du gör med följande kommando:

sudo apt-get install libimage-exif-perl libimage-info-perl

Kör sedan scriptet genom att skriva följande kommando

perl /home/johan/exif-touch

–Johan Ryberg

Installera VMware tools i Ubuntu 10.04 och 10.10

Så här installerar du VMware tools i Ubuntu

Lägg till VMware repository i /etc/apt/sources.list
deb http://packages.vmware.com/tools/esx/4.1latest/ubuntu lucid main restricted

Hämta VMwares nyckel
wget http://packages.vmware.com/tools/VMWARE-PACKAGING-GPG-KEY.pub -O- | sudo apt-key add -

Installera komponenterna
sudo apt-get update

sudo apt-get install vmware-open-vm-tools-kmod-source
sudo module-assistant prepare
sudo module-assistant build vmware-open-vm-tools-kmod-source
sudo module-assistant install vmware-open-vm-tools-kmod

Om du kör server UTAN X kör följande kommando
sudo apt-get install vmware-open-vm-tools-nox
Om du använder X kör du istället
sudo apt-get install vmware-open-vm-tools

Starta sedan om maskinen

— Johan Ryberg

Åtgärd om eth0 försvinner efter migrering av Ubuntu under VMware

Om man klonar en dator fysiskt eller virtuellt så brukar det uppstå problem med att eth0 försvinner.

Detta åtgärdas enkelt genom att modifiera följande fil: /etc/udev/rules.d/70-persistent-net.rules

Radera alla gamla interface som inte längre används, oftast eth0 och döp sedan om det återstående interfacet till eth0.

Spara och starta om och du borde ha fått tillbaka eth0

— Johan Ryberg

Åtgärda fel i Munin så att MySQL går att avläsa i Ubuntu 10.10

Munin fungerar inte gällande testerna för MySQL om man använder Ubuntu 10.10 på grund av det saknas vissa beroenden. Dessa installeras lätt genom att skriva följande i konsolen

sudo apt-get install libcache-cache-perl
sudo apt-get install libipc-sharelite-perl

Sedan måste testerna för MySQL aktiveras genom att skriva följande

sudo ln -sf /usr/share/munin/plugins/mysql_bytes mysql_bytes
sudo ln -sf /usr/share/munin/plugins/mysql_queries mysql_queries
sudo ln -sf /usr/share/munin/plugins/mysql_slowqueries mysql_slowqueries
sudo ln -sf /usr/share/munin/plugins/mysql_threads mysql_threads

Munin-node måste sedan startas om för att de nya inställningarna skall ta

sudo service munin-node restart

Kontrollera sedan så det inte finns några felmeddelanden efter omstart genom att skriva

sudo tail /var/log/munin/munin-node.log

— Johan Ryberg