nubae's Habari | Linux and Education

Making ssh less exploitable from internet brute force break in attempts is something relatively important and straight forward under ubuntu. The way LTSP works right now, makes the ssh handling available to the outside world if you dont block access to port 22 from the wan interface entirely. This is potentially unsafe if your users have weak passwords, because there is potential for anyone on the internet to gain user-level access by brute-force attack. The solution, which is somewhat controversial, as many say you should be making the passwords strong enough so you don't need this, is to create 2 instances of ssh, one serving the internal ip on port 2222 and one serving the wan interface on port 22. If you only have one interface, then both ssh sessions would serve the same interface, but one would serve port 22, and the other 2222. This is how to set this up:

sudo cp /etc/init.d/ssh /etc/init.d/ltsp-ssh
sudo cp /etc/default/ssh /etc/default/ltsp-ssh
sudo cp /etc/ssh/sshd_config /etc/ltsp/ltsp-sshd_config
sudo cp -a /var/run/sshd /var/run/ltsp-ssh
sudo sed -ie 's/Port 22/Port 2222/' /etc/ltsp/ltsp-sshd_config

Note that these are the filenames in a Debian-based system. Other systems may vary. Also you are free to use a different port than 2222, it is just used here as an example. If you are using 2 interfaces also do:

sudo sed -ie 's/#ListenAddress 0.0.0.0/ListenAddress 192.168.0.1/' /etc/ltsp/ltsp-sshd_config

Here change 192.168.0.1 as needed.

sudo sed -ie 's/#ListenAddress 0.0.0.0/ListenAddress 10.0.0.42/' /etc/ssh/sshd_config

Change 10.0.0.42 with the address of your wan facing interface.

You will also need to change the .pid of the new ssh instance:

sudo echo "PidFile /var/run/ltsp-sshd.pid" | tee -a /etc/ltsp/ltsp-sshd_config /dev/null
sudo sed -ie 's/SSHD_OPTS=/SSHD_OPTS=\"-f \/etc\/ltsp\/ltsp-sshd_config\"/' /etc/default/ltsp-ssh
sudo sed -ie 's/AllowUsers/AllowUsers *@192.168.0.0\/24/' /etc/ltsp/ltsp-sshd_config

Finally we harden the outward facing wan interface by doing the following:

sudo sed -ie 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -ie 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -ie 's/AllowUsers/AllowUsers sysadmin nubae/' /etc/ssh/sshd_config

Changing your most trusted sudoing users for sysadmin and nubae in the above example.

To make the second ssh instance default to start also do:

sudo update-rc.d ltsp-ssh defaults

A final note is that the safest approach over all would be to put a firewall and port blocker on a totally different machine and only allow ssh access to one account on that computer, from which one could then access the internal network. But if you just have one server, hopefully this gives you peace of mind.

The Asus eeePC has become an extremely popular linux based laptop, and it works great with the preinstalled OS Xandros. It is, however, a desirable thin terminal in that its small, already has a monitor and is cheap. The smaller model's screen might be a bit too small, but one can always add an external monitor, keyboard and mouse and make it a full thin terminal. In order to do that, one must fix the atl2 kernel panic bug. The instructions that follow are not mine, I found them elsewhere on the net and adapted a little:

sudo chroot /opt/ltsp/i386
nano /etc/initramfs-tools/modules

add atl2 to the modules list.
Next update your initramfs with (where kernel-version is version number of your kernel [ie. 2.6.27-6-386):

update-initramfs -k kernel-version-number -c 
exit

This will update the kernel and create the initramfs that is in /boot/ under a name something like initrd.img-2.6.27-6-386. The file must now be copied from /opt/ltsp/i386/boot to /var/lib/tftpboot/ltsp/i386 after having renamed the existing one, for backup :

mv /var/lib/tftpboot/ltsp/i386/kernel-version-number /var/lib/tftpboot/ltsp/i386/kernel-version-number.bak
cp /opt/ltsp/i386/boot/kernel-version-number /var/lib/tftpboot/ltsp/i386/

You should now restart the asus eeePC and it should just work.

With the announcement that the Sugar packages were finally up to date in Ubuntu, it was time to try something I've been wanting to do for a while, run a sugar environment on Ubuntu LTSP terminals with collaboration. With the help of some sugar devs I managed to get it all working quite nicely:

Installing Sugar

The base sugar and activities all seem to work wonderfully, although at the time of writing some of the other sugar activties are not working yet. By the time Intrepid is released this will probably be fixed.

sudo apt-get install sugar sugar-activities

You can search for what other sugar activites you can install like this:

sudo apt-cache search sugar

Then change the default session to sugar like this:

sudo nano /home/$username/.xsession

(where $username is the user for whom you want sugar to be the default shell.)

And add the following to the .xsession file:

export SUGAR_LOGGER_LEVEL=debug
export GABBLE_DEBUG=all
export GABBLE_LOGFILE=/home/$user/.sugar/default/logs/telepathy-gabble.log
export PRESENCESERVICE_DEBUG=1
export LM_DEBUG=net
exec ck-launch-session dbus-launch --exit-with-session sugar-shell

A quick explanation of the file is in order. The export lines are actually for debugging, and aren't needed if you don't intend to look at the log files. Remember $user should be the user home folder. The ck-launch-session is for making sugar exit properly when exiting from the menu. The --exit-with-session is for making sure there are no lingering sessions on ctrl-alt-backspace, currently the only way to exit, as ck-launch-session doesn't seem to work.

Finally, make sure you have your server hostname in place of olpc.collabora.co.uk:

sudo sed -ie "s/olpc.collabora.co.uk/hostname/" /home/username/.sugar/default/config

There are now 2 ways to install ejabberd, as the ejabberd packages in debian are up to date so installing ejabberd from scratch only really helps for non debian distros.

Installing Ejabberd from the repositories

sudo apt-get install ejabberd
sudo dpkg-reconfigure ejabberd

You need to add the user (usually admin) and the fully qualified domain name where ejabberd will be running. You can find what this is by doing hostname -f.

Patch /etc/ejabberd.cfg by downloading the olpc based patch and applying it:

wget http://dev.laptop.org/~morgan/ejabberd/ejabberd.cfg.patch
sudo patch /etc/ejabberd/ejabberd.cfg  ejabberd.cfg.patch
sudo /etc/init.d/ejabberd restart

skip the installing ejabberd from source and continue where it says installing the SSL certificate

Installing Ejabberd from source

The first step involves downloading the source package like this:

mkdir ejabberd
cd ejabberd
wget http://www.process-one.net/downloads/ejabberd/2.0.0/ejabberd-2.0.0.tar.gz
tar xfz ejabberd-2.0.0.tar.gz

We then need to download the patches from olpc that allow ejabberd to perform proper collaboration, and install the patches:

wget http://people.collabora.co.uk/~robot101/olpc-ejabberd/shared_roster_push2.diff
wget http://people.collabora.co.uk/~robot101/olpc-ejabberd/shared_roster_recent.diff
wget http://people.collabora.co.uk/~robot101/olpc-ejabberd/shared_roster_online.diff
wget http://people.collabora.co.uk/~robot101/olpc-ejabberd/mod_ctlextra.diff
wget http://people.collabora.co.uk/~robot101/olpc-ejabberd/ejabberd.cfg
cd ejabberd-2.0.0/
patch -p1  ../shared_roster_push2.diff
patch -p1  ../shared_roster_recent.diff
patch -p1  ../shared_roster_online.diff
patch -p1  ../mod_ctlextra.diff

cd src
./configure
make
sudo make install

We also edit /etc/ejabberd/ejabberd.cfg and replace jabber.laptop.org with the actual server hostname and the user "jtest" with "admin" (although u can use a different user if you like):

cd ../..
sudo cp ejabberd.cfg /etc/ejabberd/
sudo sed -ie "s/{hosts, ["jabber.laptop.org"]}./{hosts, ["hostname"]}./" /etc/ejabberd/ejabberd.cfg
sudo sed -ie "s/{acl, admin, {user, "jtest","jabber.laptop.org"}}./{acl, admin, {user, "admin","hostname"}}./" /etc/ejabberd/ejabberd.cfg

Remember to change hostname for the actual server hostname.

Installing the SSL certificate

You must also install an SSL certificate, which is required for collaboration to work (this is an important step.)

openssl req -newkey rsa:1024 -keyout ejabberd.pem -nodes -x509 -days 3650 -out ejabberd.cer
echo "" >> ejabberd.pem
cat ejabberd.cer >> ejabberd.pem
sudo cp ejabberd.pem /etc/ejabberd/ejabberd.pem
sudo chown ejabberd:ejabberd /etc/ejabberd/ejabberd.pem
sudo chmod 400 /etc/ejabberd/ejabberd.pem

Finally we add the user@hostname to /etc/ejabberd/ejabberdctl.cfg remembering to change hostname for your real server hostname:

echo "ejabberd@hostname" | sudo tee -a /etc/ejabberdctl.cfg /dev/null

Then you can turn ejabberd on with

sudo ejabberdctl start

See if ejabberd is running properly:

sudo ejabberdctl status

which should produce the following output:

Node ejabberd@hostname is started. Status: started
ejabberd is running

Then add the admin user:

sudo ejabberdctl register admin hostname xx

This should now allow you to login to the web ejabberd control panel:

Go to http://yourserver:5280/admin/
Log in as your ejabberd's administrative user. Your username is a Jabber address e.g. "admin@yourserver".
Select Virtual Hosts, then your server hostname, then Shared Roster
Add a group called Online with the following settings:
o Name: Online
o Members: @online@
o Displayed Groups: Online

It is recommended you register a user via your favorite jabber program and as the sugar users log in, you'll be able to see them in the Online group.

If you run into problems you can check the logs in /var/log/ejabberd/ to see what could be wrong. And for Sugar logs, you can look at /home/$user/.sugar/default/logs/

Enjoy your terminal session sugar experience!

After playing around a bit with the php bot logging to mysql, I turned to a little more industrial solution, which involved installing an eggdrop bot and a script which lives inside the bot to convert its log files to html. This turned out to be the easiest solution, albeit a time consuming one. First it was necessary to install an eggdrop bot, which on Debian and Ubuntu can be done like so:

apt-get install eggdrop

This installs the eggdrop to its global area, and if like me you want to run it from a specific user's home you need to copy the configuration file (eggdrop.conf) to the home dir of your choice (example: /home/logbotuser/eggdrop.conf) You must thoroughly go through the configuration file, and uncomment various locations that stop you from executing the bot without reading through ALL the configuration options. The important stuff is at the top, like the botnick, the channel, etc, but there is also important stuff further down, like which irc servers to connect to and the like. When you are done, you should start the bot doing:

eggdrop -m eggdrop.conf

you use the -m option only the first time, as this tells it to create a new user list, after which you can msg the bot hello from irc, or telnet into it and type NEW as the username. The bot should now be happily running on the channel of your choice. One other thing you can do is setup a cron job that makes sure your bot is running always. Basically the crontab checks every 10 minutes to see that the bot is still active, if it isn't it relaunches it. To set it up, move the botchk script from /usr/share/eggdrop/scripts/ to your user directory:

mv /usr/share/eggdrop/scripts/botchk /home/user/eggdrop/

Then you need to edit the bothck script which has some self explanatory settings corresponding to what you already configured in eggdrop.conf, but something that is not mentioned is the need to replace the 3 entries that have the string ./ $botdir to:

/path/to/eggdrop/dir/ $botdir

In the example above that would be /home/username/eggdrop/ $botdir

You then need to do the final part which is add the crontab entry like so:

crontab -e

Here you add the following line:

0,10,20,30,40,50 * * * *   /path/to/botchk

Now you can now download the logs2html script from here.

To install it, unzip it and follow the readme instructions. One thing not mentioned is that the actual compiled module is in the precompiled/eggdrop 3/ directory.You need to move this to /usr/lib/eggdrop/modules/

Then you must edit the logs2html.conf script and the chan.list file. You must also re-edit the eggdrop.conf file and add a line in the end that contains:

source logs2html.conf

When you are done, you should be able to view your irc logs on a website as defined in chan.list. There is an example here: www.nubae.com/logs