Monthly Archives: June 2013

This article describes how to setup a basic firewall configuration on your linux box with iptables.

Check your current setup with:

sudo iptables -L

Reset the default firewall rules:

sudo iptables -F

Setup the most basic firewall with the script below. This script only allows ssh connections (which are being logged in /var/log/syslog); adjust the script to allow communications through other ports.

Both the OUTPUT and INPUT chain have a default log rule at the end of the chain.

#!bin/sh
IPTABLES=/sbin/iptables
$IPTABLES -F
### Set default policies for INPUT, OUTPUT and FORWARD chain to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
####### INPUT chain ######
### State tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for connections in
$IPTABLES -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH CONNECTION"
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

### default INPUT LOG rule
$IPTABLES -A INPUT -j LOG --log-prefix "LOG " --log-ip-options --log-tcp-options

####### OUTPUT chain ######
### State tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for connections out
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

### default OUTPUT LOG rule
$IPTABLES -A OUTPUT -j LOG --log-prefix "LOG " --log-ip-options --log-tcp-options

Saving your iptables configuration (answer Yes to both questions):

sudo apt-get install iptables-persistent

Start the persistency service:

sudo service iptables-persistent start

Changes to your configuration can be stored by using the command

sudo service iptables-persistent save

Or reload the current configuration:

sudo service iptables-persistent reload

More detailed information can be found here.

Share

Add a google font to your font repository

Add google fonts to your system; simple and fast

  1. Goto http://www.google.com/fonts/
  2. Search your font
  3. Select “Add to collection”
  4. Select “Download” (button with the arrow picture)
  5. Select Download as zipfile
  6. Unpack zip and copy TTF files to your $HOME/.fonts directory
  7. Fonts are ready for use (after restart of application)
Share

The Gimp: create 3d shape

Create a shape with a 3d effect; simple and fast with The Gimp

  1. Create a new image
  2. Create a new layer
  3. Select an area on the layer
  4. Fill the area with a color (optional)
  5. Select menu “Filters”; select “Light and Shadow”; select “Drop shadow”
  6. Choose your X and Y offset for the shadow
  7. Select allow resizing
  8. Select OK
Share

The Gimp: create 3D Text

Create a 3d text; simple and fast with The Gimp

  1. Create a new image
  2. Add some text
  3. Duplicate the text layer
  4. Select menu “Filters”; select “Blur”; select “Motion Blur”
  5. Enable blur type “Zoom”
  6. Set X and Y properties
  7. De-select “Blur outward”
  8. Set length to about 15
  9. Select “Ok”
Share

Configure Apache

Perform a clean Apache install:

sudo apt-get install apache2

After that copy original configuration files:

cp /etc/apache2/apach2.conf /etc/apache2/apache2.conf.org
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default.org
cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/default-ssl.org

To prevent users from getting a directory listing add the next line to the bottom of your apache2.conf:
Options -Indexes

A fresh apache install has the following modules installed

apachectl -t -D DUMP_MODULES
Loaded Modules:
core_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
alias_module (shared)
auth_basic_module (shared)
authn_file_module (shared)
authz_default_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
mime_module (shared)
negotiation_module (shared)
php5_module (shared)
reqtimeout_module (shared)
setenvif_module (shared)
status_module (shared)
Syntax OK

As you can see the rewrite module is missing from this list. You can simple active this module by executing:

a2enmod rewrite

 

 

Share

Add SSL to localhost on apache / linux

Generate a Certificate Signing Request

1. Generate the keys for the Certificate Signing Request (CSR)

openssl genrsa -des3 -out server.key.secure 1024

2. Create the insecure key.

openssl rsa -in server.key.secure -out server.key.insecure

3. Create the CSR.

openssl req -new -key server.key.insecure -out server.csr

Fill in the appropriate information.

4. Create the self-signed certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This creates server.crt

5. Install the self-signed certificate

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

Now you can configure apache with the ability to use public-key cryptography to use the certificate and key files.

Configure Apache to use SSL on local host

6. Enable ssl

sudo a2enmod ssl

7. Edit your default-ssl site (make backup copy)

Change:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

To:

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

8. Enable the default-ssl site.

sudo a2ensite default-ssl

8. Restart the server.

sudo service apache2 restart

Navigate to https://localhost and examine your certificate details

Share

chmod to the max

Short and simple chmod reference. Use numbers to set file permissions.

400 read by owner
040 read by group
004 read by anybody (other)
200 write by owner
020 write by group
002 write by anybody
100 execute by owner
010 execute by group
001 execute by anybody

Make file readable for owner:
readable (4) owner = 400 => chmod 400 fname

Make file readable and writeable for owner:
readable + writeable (4 + 2) owner = 600 -> chmod 600 fname

Make file readable and writeable for group:
readable + writeable (4 + 2) owner = 60 -> chmod 60 fname

Make file readable and writeable for anybody:
readable + writeable (4 + 2) owner = 6 -> chmod 6 fname

Examples

# Set file permission to-rwxr-xr-x
# Read Owner 400
# Read Group 40
# Read Other 4
# Write Owner 200
# Write Group 100
# Write Other 010
# Exec  other 001

# Total = 400+040+004+200+100+010+001 = 755

chmod 755 thefile.cgi

# Read and write by everyone (444 + 222):

chmod 666 file.txt

# Change all directories to rwx by everyone:

find . -type d -exec chmod 777 {} +

# Change all files to rw by everyone:

find . -type f -exec chmod 666 {} +

 

Share

Setup proxy on Ubuntu

proxyFor local website development it is usefull to add your domain-name to your local hosts file.

When doing this you have to be sure that this name does not get resolved by the default gateway. Execute the following steps to be able to navigate to test.yourdomain.tld in your browser:

1. Edit your /etc/hosts  file and add a line:

192.168.x.x test.yourdomain.tld

2. Start the gnome dconf-editor  tool and navigate to “System -> Proxy”. Add the domain test.yourdomain.tld to the list of ignore-hosts.

3. Logoff and logon again for this settings to take effect.

Check that your settings are updated with the following command in a terminal:

$:>env | grep proxy

The domain should show up at the no_proxy= entry.

If everything is ok you can navigate in your browser to test.yourdomain.tld.

Share

Create SVN repository on Synology

Howto install SVN on your Synology: http://forum.synology.com/wiki/index.php/Step-by-step_guide_to_installing_Subversion

Telnet to your NAS
Repositories has to be owned by svnowner; be sure to execute creation of the repository as svnowner (or chown afterwards):

$>su svnowner

On the synolyg your harddisk is mounten at /volume1; create a directory “svn” here:

cd /volume1
mkdir svn
cd svn

Now create your SVN repository with the svnadmin command (on the synology the svn command is not on the path but can be found at /opt/bin):

/opt/bin/svnadmin create test

If you want to delete a repository you can do this with regular unix commands; there is no “internal” SVN registration.

Now you have to setup the access to this new repository. Change directory to your new repository conf folder:
cd /volume1/svn/test/conf

The svnadmin command has stored some default files here; passwd and svnserve.conf. First edit the passwd file to add your users for this repository. Below the [users] text add your users.

Now edit the svnserve.conf in the same folder. Disable anonymous access to your repository by adding: anon-access = none

To use the password file for authentication of your users you have to uncomment the password-db = passwd line.

That’s all you have to do on your synology. SVN is setup (see link) and the repository is created with appropriate user access..

Now go to your client machine and checkout the new repository:

svn co svn://[your hostname here]/test

Check the status of your local repository copy:

svn status

Add a file to your repository

svn add newfile

And commit the file to the repository

svn commit newfile

 

 

 

 

Share