Categories
Security Ubuntu

Securing the list of last logged in users

The command ‘last‘ lists the times and dates of successful logins. The command ‘lastb‘ lists unsuccessful attempts. I found that both unnecessarily had public read access on most of my Ubuntu servers.

Two log files provide the data used by last and lastb. Both can be secured by changing the permission to 660.

sudo ls -l /var/log/?tmp
sudo chmod 660 /var/log/?tmp
sudo ls -l /var/log/?tmp

Afterwards, to list successful logins, use:-

sudo last

To list unsuccessful logins, use:-

sudo lastb

Categories
Security Ubuntu

Restricting access to ftpd

Whether the ftp daemon is in use or not on a Linux host, it’s a good idea to restrict the system user accounts from using it. Any user ID that is in /etc/passwd that is not permitted to use ftp should be copied to /etc/ftpusers. The following commands for Ubuntu create the file with a list of all users.

sudo awk -F”:” ‘{ print $1 }’ /etc/passwd | sort > ~/ftpusers

Edit the resulting ~/ftpusers to remove the IDs that are allowed to use ftp.

sudo nano ~/ftpusers

Then move the file from your home directory to /etc.

sudo mv ~/ftpusers /etc

Categories
Ubuntu

Wireshark missing interfaces on Ubuntu 10.10

The old Dell laptop that I use for packet sniffing was in need of a rebuild after I had been experimenting with Zabbix. In hindsight, I shouldn’t have used the laptop that has become my network toolkit. I had well and truly messed it up and I was desperate to get it operational again.

Ubuntu 10.10 had recently been released and I had already downloaded the ISO images overnight. With a freshly burned CDR in my hand, I set about installing the new version. This laptop is primarily a network analysis tool so Wireshark was naturally the first application to be installed. It wasn’t long before I found that 10.10 has the same missing interface problem that I had experienced with 10.04. “No problem” I thought. “I will just use the fix that I found for 10.04“. Well, that didn’t work either. I left it for a day to have a think, and came back to it with a solution that I found on Launchpad. The fix is as follows.
In a terminal session, execute these commands:-

sudo addgroup –quiet –system wireshark
sudo chown root:wireshark /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap

Using your favourite text editor, add your user id to the wireshark group in /etc/group or use usermod instead:-

sudo usermod -a -G wireshark vince

Reconfigure the Wireshark Common package and answer ‘Yes’ to the question ‘Should non-superusers be able to capture packets?’ :-

sudo dpkg-reconfigure wireshark-common

Reboot, login and test Wireshark. The missing interfaces should be present now.

Categories
Internet Ubuntu

Scheduling automatic updates to save money

I had an unlimited download account with my previous Internet Service Provider and I never worried about what time of day I would download a CD-ROM ISO or system update. However, since changing to PlusNet I am now on a 60GB per month download limit as unlimited accounts are now a thing of the past. Now 60GB may seem a generous allowance, but in reality upload traffic also has to come of the allowance. With everyone in my household being a heavy internet user, 60GB a month is often not enough.

Fortunately for PlusNet customers, any internet use after midnight and before 8am does not come out of their monthly allowance. So to take advantage of this overnight benefit I have been adjusting the times that our computers perform their automated updates.

For all of our Microsoft Windows machines this is easily done in Windows update. Just set the time that updates should commence. In my case, I have set our fastest Windows PC to update at 7:05am, and all the others at 7:10am. My Son’s PC is woken up at 7:00am by it’s system BIOS and the updates it pulls down are cached on my Squid Proxy Server. The other Windows PCs collect their updates when they are switched on and most of the files are served from the proxy cache.

For all my Ubuntu hosts I have disabled the built-in automatic update feature and I use a CRON job that I can control instead. To do this, open a terminal session and run the CRONtab editor with the following command:-

sudo crontab -e

When the editor launches, paste the following line into the file and save your work. That’s it.

5 0 * * * (/usr/bin/aptitude -y update && /usr/bin/aptitude -y safe-upgrade) 2>&1 >> /var/log/automatic-update.log

Cron will perform a safe upgrade at 5 minutes past midnight. As I am using a Squid proxy to cache Ubuntu updates, I set my other machines to start their update 5 minutes later by changing the ‘5’ for ’10’ in the crontab line.

For a more detailed explanation of how this crontab command is constructed visit Kevin van Zonneveld’s blog

Want to save money on your broadband? Quick, grab this lifeline from PlusNet. Up to 20Mb broadband from only£9.99 per month. Free setup available - terms apply. Now with Internet phone calls. PlusNet broadband.
Categories
FreeSwitch Hardware

Camrivox Flexor 500 SIP Telephone

Camrivox Flexor 500

I recently purchased three Flexor 500 telephones to use with my new FreeSwitch installation at home.

So far, I am quite pleased with the telephones although I am still in a process of discovering their capabilities. It appears that these phones are popular with VoIP providers that sell service to end users with a preconfigured phone. My three, fortunately, were unlocked or otherwise unprovisioned which gave me full access to the telephone’s built in web based configuration so I can use them with my own PBX.

One thing I noticed very early on was that the phone’s DTMF tones were not being processed by FreeSwitch. An example of this was FreeSwitch refusing to respond to any keys pressed when in the default IVR. As I already had a working X-Lite Softphone I knew the fault was likely to be with the Flexor 500 but I couldn’t find the setting. Then after a couple of days I noticed some tiny links at the bottom of the Main Menu page. Yup, I need glasses. Anyway, the Voice Settings link took me to a new page where I could select DTMF = SIP and Inband. FreeSwitch only needs SIP for the IVR, but with Inband there is audible confirmation.

Categories
Internet

Choosing a rural broadband provider

I have recently moved home and I decided that after nearly eight years with PIPEX it was time to look around and see if it was possible to find a better rural broadband provider.

PIPEX provided the service that I needed for many years. But after multiple takeovers, the service and the customer support deteriorated. The low point was in the summer of 2009 when my broadband connection went up from 1.5Mbps to 3.5Mbps for six weeks. To some, this would be fantastic news, and it was to me too for a while. I told my neighbour about the great broadband service I was getting from PIPEX. He was still on 1.5Mbs so he complained to his provider (the one with the local DSLAM). Within a week of his complaint my broadband speed went down to 1Mbps and was up and down like a yo-yo thereafter. I was still paying nearly £30 a month for my unlimited use contract so I complained to PIPEX. They dropped my monthly bill to less than £10 a month but my broadband performance didn’t improve and actually got as low as just 512Kbps in 2010.

I realised that since I first signed with PIPEX there have been many BT exchanges in the UK equipped with competitor’s broadband equipment. My rural exchange was not one of these and my broadband was resold to PIPEX through BT Wholesale. PIPEX (now Opal) just didn’t have the clout in my region to demand better service from BT Wholesale so they just took my money and blamed my problems on being rural. No one could explain why I enjoyed six weeks of uninterrupted broadband at 3.5Mbps in the same house with the same equipment so I knew I was being screwed.

I did some research online and found that PlusNet had a pretty good reputation amongst rural customers. They also have some good online tools for taking a peek at the faults logged on their network including BT Wholesale’s provision. I looked at taking broadband from Sky, BT and a few others, but because I live in a rural location, my connection for the time being would be provided by BT either directly or via wholesale and none of the TV advertised deals apply. I also wouldn’t get the same level of techie fault reporting tools offered by PlusNet. It was clear to me that PlusNet where worth taking the chance on so I signed up for PlusNet voice and broadband for a year and so far I am very happy with the change.

The only hiccup I have had with PlusNet is that they assume that all new customers already have uninterrupted internet access or mobile phone access. I had neither at my new home and still don’t have any mobile phone reception. All of PlusNet’s communication with new customers waiting for connection is via email and SMS text message. Fortunately, my wife’s corporate Blackberry could receive email here so the important messages concerning installation and activation went to her email account instead. PlusNet will not send a letter to you even if you request it so they are by no means perfect, but the best I could hope for.

Don't let slow dial-up Internet get you down. Super-fast up to 20Mb broadband from only £9.99 per month. Free setup now available - terms apply. PlusNet broadband.
Categories
Ubuntu

Wireshark missing interfaces on Ubuntu 10.04

I have been using Wireshark for some time on my Vista laptop but I couldn’t get it to work on my smaller Ubuntu laptop. When an update was installed today for Wireshark on my Windows machine I decided that now was the time to fix the problem on my old Ubuntu laptop.

It was a simple fix that was documented in the wiki. All I had to do was run this command to have WireShark detect the interfaces.

sudo setcap ‘CAP_NET_RAW+eip CAP_NET_ADMIN+eip’ /usr/bin/dumpcap

Categories
Linux Ubuntu

Compiling cURL with SSL on Ubuntu 10.04

I was having problems compiling the latest source of cURL on a freshly installed Ubuntu 10.04 host. The ./configure for cURL refused to find OpenSSL despite it being installed. After reading the cURL FAQ I checked to see if I had libssl installed on my machine and I found that it wasn’t there. The library is not part of the main package but it is in the development package. I installed libssl using:-

sudo apt-get install libssl-dev

Then I rerun the ./configure for cURL with the SSL option

./configure –with-ssl

Success confirmed by the output on screen.

curl version:    7.21.0
Host setup:      i686-pc-linux-gnu
Install prefix:  /usr/local
Compiler:        gcc
SSL support:     enabled (OpenSSL)
SSH support:     no      (--with-libssh2)
zlib support:    enabled
...
Categories
FreeSwitch

FreeSWITCH Book

FreeSWITCH 1.0.6 Book CoverThere is a new book on FreeSWITCH 1.0.6 that is to be published in July 2010 by Packt Publishing. I’m looking forward to reading it.

To find out more about FreeSWITCH visit www.freeswitch.org

Categories
Hardware

Acer DX900 Smartphone

I bought an Acer DX900 Smartphone last September without actually trying one out first. That was a big mistake. The phone’s specification is impressive but it’s the dual SIM card capability that I really needed. I had a look at some Samsung Duos models and they were very good, but none of them at that time had WLAN. It wasn’t long before I started to discover how less than half baked the DX900 is, and how dissapointing Acer’s support can be. The Product Manager for this model is non existent.

After more than seven months of use, I am now ready to accept that I was exceptionally stupid to buy this phone without trying it first. I am stuck with it now for at least another year or more. Having to pull the battery out every day to restart the phone after it crashes is becoming very tiresome.

Note to self:

(1) Never knowingly buy anything made by Acer.
(2) Never buy a phone that has a Microsoft Operating System.