Answers 78

From LXF Wiki

Answer 78

<title>Bash it in</title>

<question>I'm trying to write a couple of Bash scripts using utility programs that take keyboard input. For example,

update-alternatives --config xxx

needs a choice from the keyboard. I want to automate it from a parameter passed when the script is used. At the moment my best effort writes a file using the input parameter, runs update-alternatives, redirecting input from the newly created file, then deletes the file. There must be a better way. How can you pass a parameter rather than use keyboard input without writing it to a file first? </question>

<answer>Remember the Linux (and Unix) creed: "Everything is a file." This includes standard input and output. They have the special file handles &0 for stdin and &21 for stdout (&2 is stderr). This should do what you need:

echo "A" | update-alternatives -- config xxx <&0

Where A is the input parameter. echo sends the command to stdout. The pipe (|) sends the stdout to stdin for the next command. &0 is the file handle for stdin, so <&0 redirects it to the command. Another Linux truism applies here too: "There are always at least two ways to accomplish a task." Instead of &0, &1 and &2 you can use /dev/stdin, /dev/stderr and /dev/stdout. The & versions are easier to type for quick shell commands, but the /dev versions will be a little more readable when you look at the script six months from now. </answer>

<title>Ethereal installation</title>

<question>I have just bought your magazine and installed SUSE Linux on a redundant PC, as I really would like an understanding of Linux. The install was easy to follow, and your magazine tutorials were really helpful. However, I am a network engineer and would now like to install Ethereal [a network protocol analyser]. Because I am new to Linux and have very little experience, could you advise me on what to download and how to build and install it on my Linux PC? </question>

<answer>While it is fairly easy to build Ethereal, or most other programs, from source, one of the benefits of a distro like SUSE is that the bulk of what you are likely to need is available to install from the discs or a central repository. To install Ethereal the easy way, run Yast from the System section of the SUSE menu, go in to the Software section and click on Software Management. Now you only need to type `ethereal' in the search box, select the program from the results list and press Accept to install it. If there are any dependencies ­ other programs or libraries needed by the software ­ these will be installed automatically, so don't worry there. By default, Yast only knows about packages on the installation media. You can add extra installation sources (or repositories) by selecting Installation Sources from Yast's Software section. There is a list of SUSE mirrors at www.opensuse.org/Mirrors_Released_Version. Pick one of these and add it to Yast to make sure you have access to the latest updates. </answer>

<title>Catch 22</title>

<question>I am going to work abroad for a couple of months and I want to have remote access to my network indoors. So I installed FreeNX on SUSE 9.3 and forwarded port 22 on my Netgear router to the machine, and with no effort at all I was able to bring up my desktop by connecting through the internet to my local computer, look at my emails and start any application available on the box. This morning looking at the /var/log/messages file I saw that someone is attacking port 22. There were hundreds of messages from sshd for different users saying Invalid user <xxx> from :: ffff:195.90.196.20'. There are only two registered users on my system that can log in: root and my user ID, which looks nothing like anything a hacker can guess. I also use strong passwords with upper- and lower-case letters as well as numbers, and no dictionary words. Should I be worried about the attacks? Is there a way to tell sshd to refuse connections after x failed logons in y seconds, or should I just monitor it and drop packets on an IP address basis? </question>

<answer>Such attacks are commonplace if you expose port 22 to the world at number of steps you can take to reduce the chances of someone getting in. Strong passwords are the first step. As you are using SSH for remote desktop use, you don't need root access, so disable that in /etc/ssh/sshd_config. Find the line

PermitRootLogin yes

and change the yes to no to block root access. You can still have root access if you need it by connecting as your user and using su to switch to root, but a cracker would have to first crack your username, then your password and then the root password. Alternatively, change the yes to without-password. This allows root logins, but only if you have an authorised key. See the man pages for ssh and ssh-keygen for details on generating and using keys like this. You could require all users to have a key, but this would mean copying your key to any computer you needed to use to log in. This is the best option if you will be using your own laptop via whatever internet connection you have available, large. But there are a but won't be much use if you plan to use other computers. You enable this in the configuration file with

PasswordAuthentication no

You could also run SSH on a non-standard port, something above 1024, by changing the `Port 22' line in sshd_config and passing the new port number to nxclient or knx. This provides an extra layer of complication for the crackers to work through, and significantly cuts down on the number of logged access attempts. There are a number of programs that will monitor log files and block IP addresses that attempt brute force attacks on SSH or other ports. You could look at http://breakinguard.sourceforge.net, http://daemonshield.sourceforge.net or www.csc.liv.ac.uk/~greg/sshdfilter. </answer>

<title>Crypto factor</title>

<question>In our office we have an internal Dovecot-based email server. We would like to offer our employees encrypted access to it, as some of them want to connect from home, but we are worried about the security implications of allowing this. Please could you tell us how we can let them connect securely, using secure email protocols? </question>

<answer> Securing these basic services is not hard, even though the mathematical concepts of cryptography can be very difficult to grasp. All we need to do is create an SSL certificate and make sure that the email server uses the certificates that we have created. You could also buy a certificate, but if it is just for internal usage, the expense may not be justified. If it were for publicly accessible services I would say you would need a certificate from a vendor that is recognised by most popular email clients, or a warning will display each time. In order to create the certificate we will be using the OpenSSL (http://openssl.org) program, which idistributions. As the openssl command can be extremely obscure, there is a simple interactive interface which can be used to generate most certificates that you will need. We could use a script that comes with Dovecot mkcert.sh, but if we use OpenSSL files we can make other types of keys and certificates. As root, change to the /etc/pki/tls/certs (/usr/share/ssl/certs for SUSE; /etc/ssl for Mandriva) directory. You can type make at the command prompt to get a reminder of what certificates you can create. Normally we create a key first and then create the certificate from the key; however, if we just specify make dovecot.pem it will create a key and certificate in the same file for use with Dovecot. All you need to do is fill in the information when prompted. The defaults are listed in square brackets. The most important field that you need to fill in is the Common Name, for which you should give the domain name of your server. All the others should be filled in as appropriate. Now we just have to copy the file we have created to the required location specified in the Dovecot configuration file (/etc/dovecot.conf) with the two parameters ssl_cert_file and ssl_key_file, being the certificate and key file respectively. So we just copy the joint key and certificate file to the location specified /etc/pki/dovecot/dovecot.pem and /etc/pki/dovecot/private/dovecot.pem removing the automatically generated localhost files that had been created. We have now generated a unique certificate and have a secure Dovecotmail server. </answer>

<title>Nomodem</title>

<question>After months of soul searching I finally took my courage in both hands and SUSE 10 from the cover of your magazine [LXF74]. The installation was smooth but the system insisted that I am on a network (I'm not: this is a stand-alone computer) and also did not find my modem. I've tried everything suggested in the magazine and consulted the various websites and forums suggested by you but (I admit I didn't understand a word of most of what I read) to no avail. I even tried to wipe Linux from my hard drive altogether but for a long time couldn't even restart in Windows because something called Grub wouldn't start. If you can help, I'll give it one more try. Otherwise, how do I uninstall SUSE Linux 10.0? </question>

<answer> A general point first. Unless you tell us as much as possible about your system, we're in the dark. It would really help to know about the hardware on which you are trying to install Linux. Does your computer have a network interface? If so, this is why SUSE thinks you are on a network. The solution to this is simple. Run Yast, go to Network Devices > Network Card, highlight the network interface and press Delete. Now you can turn your attention to the modem. The most likely reason for SUSE not identifying your modem is that it is a so-called Winmodem. These devices use minimal hardware, leaving much of the work to the computer's CPU through a special Windows driver. Some of these modems can be persuaded to work with Linux, but others are a lost cause because their manufacturers will not release the information needed to write a driver. The first step is to identify the modem with ScanModem, which we have included on the coverdisc. Opena terminal and type

sh /media/cdrom/Magazine/Answers/scanModem

This will create a Modem directory, containing several text files. These should identify your modem and give information on which driver to use and where to get it. Once you have run ScanModem and identified your device, you can find more information about it at http://linmodems.org. An alternative is to use a standard serial modem (not a USB modem, as some of them suffer similar issues to Winmodems). Serial port modems work entirely independently of the operating system, bypassing any compatibility issues. Your problem with uninstalling Linux is not unique. When you installed Linux, you also installed the Grub bootloader, which gives you the choice of Linux or Windows. When you erased Linux, you left Grub in the hard disk's master boot record, but removed the files it needs; thus Grub couldn't start. The solution for Windows 98 is to boot your Windows rescue disc and run

fdisk /mbr

The equivalent command for Windows XP is fixmbr. </answer>

<title>Chrony logical</title>

<question>I have an old box running Mandrake 8.2 as a home server for about six other PCs in the house. We are still on ISDN dial-up as there is no pressing need to upgrade to broadband. I have been using NTP fine for the past few months to update the server's clock once a week. I have a simple Cron job that connects to the internet, calls ntpdate to sync the time with one of the NTP servers at uk.pool.ntp.org, then disconnects from the internet. The next stage is to get the client PCs to sync to the server's time. I cannot use ntpdate on the server as it is a one-off command rather than a daemon, so I have to use ntpd, the actual NTP daemon. Now that I've finally figured out to set it up ­ the NTP documentation reads like an astrophysics PhD thesis rather than a user's guide ­ I can indeed sync the client PCs to the server, but the NTP daemon tries to sync to a server on the internet every few minutes, and most of the time this fails as the net connection happens to be down. Basically, how can I use ntpd but force it to only sync with a server on the internet at specific times? Alternatively, is it possible to use my ntpdate Cron job but run a separate NTP server that takes the current system time and serves that to the client PCs? </question>

<answer>Most NTP servers, including ntpd and openntpd, are designed to be used with a permanent internet connection. Liaising with other time servers is an integral part of the way they work, making them unsuitable for your needs. Chrony is designed to provide time services to a network with an intermittent, or even non-existent, internet connection. It consists of two programs: chronyd is the daemon, providing time services based on the system clock; chronyc is a command line program that can be run from your cron script to synchronise the clock with another time server. Get the latest version at http://chrony.sunsite.dk. You will need to compile it from source, but this is straightforward and clearly documented in the INSTALL file. The documentation is verbose, but setting up a basic server is quite simple. Put the following lines into/etc/crony.conf, replacing each nnn.nnn.nnn.nnn with the IP address of a server.

server nnn.nnn.nnn.nnn offline
server nnn.nnn.nnn.nnn offline
server nnn.nnn.nnn.nnn offline
keyfile /etc/chrony.keys
commandkey 1
driftfile /etc/chrony.drift
allow 192.168.1

You can obtain a list of suitable servers with

netselect -s 3 pool.ntp.org

The `offline' parameters stop chrony trying to synchronise with the servers, which is what you want. The allow command indicates the IP range allowed to get time for the server. Set up a password with

echo >/etc/chrony.keys `1 somepassword'

Then start the daemon with the supplied init script. Now it will serve time to your network based on its system clock. To update the system clock, amend your Cron script to do this after connecting:

/usr/local/bin/chronyc EOF password somepassword
online
EOF

Repeat it before disconnecting, changing online to offline. </answer>

<title>Mouse control</title>

<question>I have an IntelliMouse, with seven buttons: 1 = left, 2 = middle, 3 = right, 4 and 5 = wheel, then 6 and 7 as extra buttons by my thumb. I want to use those last two buttons for something like volume control or maybe track-skipping in Amarok. As far as I can tell, this can't be set up in the xorg.conf file. Can you help? </question>

<answer> First you need to make sure that all seven buttons send events to X. Run xev from a terminal and click the various buttons while the window is active. If the button is recognised, you'll see something like this:

ButtonRelease event, serial 31,
synthetic NO, window
0x3600001,
root 0x5a, subw 0x0,
time
191458267, (86,1 1),1
root:(91,162),
state 0x1 button 4,
           10,
same_screen YES

If you get no events from the extra buttons, edit the mouse section of xorg.conf. You should already have a ZAxisMapping line, so change this to the two highest numbered buttons and add a Buttons line to indicate the number of buttons. This is how it looksfor my seven-button mouse:

Section "InputDevice"
Identifier "USBMouse"
Driver      "mouse"
Option "Protocol" "auto"
Option "Device" "/dev/input/mice"
Option "Buttons" "7"
Option "ZAxisMapping" "6 7"
EndSection

Restart X and run xev again to make sure the buttons work. Your extra buttons will be 4 and 5 ­ the wheel is now 6 and 7. Now you need to map these events to actions. A useful program for this is XBindkeys, available from http://hocwp.free.fr/xbindkeys or possibly in your distro's package repository. XBindKeys uses a simple config file to map keyboard and mouse events to commands. For example, you might want to do

"firefox"
            b:4

in ~/.xbindkeysrc. This will cause it to start Firefox when you press button 4. To control Amarok, or any other KDE application, you'll need to investigate DCOP (Desktop Communications Protocol). Run kdcop and look at the commands that Amarok accepts. Execute the commands from kdcop and it shows the command line DCOP call that will do the same thing from a script, or XBindKeys. You will need to experiment to find what you need, but for starters, this will skip to the next track in Amarok:

dcop amarok player next.

</answer>

<title>Mail man</title>

<question>I'm currently running Fedora Core 4 on my desktop and was wondering if it's possible to relay mail sent via Cron jobs etc. through my mail server running Sendmail. It would save me having to run another instance of Sendmail on my desktop. </question>

<answer>Although there is next to no configuration required to setup Sendmail or Postfix on Fedora Core 4, you can use ESMTP or SSMTP to relay your desktop's mail through an external mail server. I've used SSMTP in the past, but it appears that only ESMTP is currently available via Yum. To install, run

# yum install esmtp
# cat > /etc/esmtprc << "EOF"
hostname = mailserver:25
mda "/usr/bin/procmail -d %T"
EOF
#

This basic configuration will route mail through a server named mailserver, on port 25. You can man esmtp and man esmtprc for more information on esmtp and the configuration file. If Sendmail is currently your default MTA (run alternatives --display mta to check), you can issue the following to switch ESMTP to the default:

# alternatives --config mta

This will bring up a basic menu that allows you to switch the default MTA. Finally, if you intend to relay mail through your Sendmail server destined for a mailbox that's not local (ie redirecting Cron output to an @gmail. com address), ensure you configure /etc/mail/access on the Sendmail server to permit your desktop to relay through it. As I've suggested, SSMTP is another option that can be used instead of ESMTP. It's not available via Yum, so you'll need to install it manually. Here is a basic outline of how to get it up and running:

# cd /root
# wget ftp://ftp.debian.org/debian/pool/main/s/ssmtp/ssmtp_2.61.orig.tar.gz
# tar -xzvf ssmtp_2.61.orig.tar.gz
# cd ssmtp_2.61
# make
# make install

This will prompt you for a few pieces of information and will install the SSMTP binary to /usr/local/sbin and ssmtp.conf to /usr/local/etc/ssmtp/ssmtp.conf. The mail line that needs to be adjusted in ssmtp.conf is mailhub=mail', where `mail' is your Sendmail server's hostname. For more information, run man ssmtp and view the default ssmtp.conf configuration file in the ssmtp_2.61 source directory. As this is a manual install not using rpm, you will need to use the alternatives command to add SSMTP to the alternatives system. This can be done with

# alternatives --install /usr/sbin/sendmail mta /usr/local/sbin/ssmtp 10

Finally, ensure that SSMTP is the default MTA:

# alternatives --config mta

Again, this command will ask which MTA to use, and don't forget that if you plan on relaying to externaladdresses, you should configure the Sendmail server to permit relaying from your desktop's IP address. </answer>

<title>Bonding</title>

<question>Running Red Hat, I have two Ethernet cards plugged into a single switch and a single static IP address. Is it possible to set up network multi-pathing on these two network interfaces so that if one link dies, it fails over to the second without setting up a virtual IP address? </question>

<answer> Yes, IP multi-pathing (bonding) allows a host to be redundantly connected to a network by two independent paths. There are other bonding methods, but as you want high availability I'd suggest IP multi-pathing is your best bet. Unlike the floating virtual IP method of multi-path redundancy, bonding creates a floating virtual interface. Under Red Hat, to configure bonding you need to associate the two physical interfaces with a new virtual bonded interface, `bond0', within the standard network configuration files. Thus, ifcfg-eth0 and ifcfg-eth1 will need to contain the following:

/etc/sysconfig/network-scripts/ifcfg-
eth0
DEVICE=eth0
ONBOOT=yes
TYPE=Ethernet
MASTER=bond0
SLAVE=yes
/etc/sysconfig/network-scripts/ifcfg-
eth1
DEVICE=eth0
ONBOOT=yes
TYPE=Ethernet
MASTER=bond0
SLAVE=yes

Now, create a new bonded network interface file called bond0 that contains the network specific information that your previous network configuration file (ifcfg- eth0) contained, like this:

/etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond0
ONBOOT=yes
BOOTPROTO=static
TYPE=Ethernet
IPADDR=x.y.z.a
NETMASK=x.y.z.a

You've now configured the network information on the new virtual interface and associated it tothe two physical ones. Next you'll need to configure bonding to initialise on boot. Set the polling interface and bonding method, in this case Active/Standby. Add the following to /etc/modprobe.conf:

alias bond0 bonding options
bonding mode=1 miimon=100
primary=eth0
install bond0 /sbin/modprobe eth0;
/sbin/modprobe eth1; /sbin/
modprobe bonding; /bin/true
mode=1 is active/standby
miimon=100 is the polling interval
is the network polling interval in
milliseconds - 100ms.

Now you'll need to load the bonding module and restart networking. As root, execute the following commands:

# modprobe bond0
# service network restart

The only thing left is to update any config files, such as Iptables, that reference the physical interface with the new bonded interface. </answer>

<title>RPM hell</title>

<question>I attempted to install OpenOffice.org from the Linux Format DVD [LXF74]. Unarchiving the z-file off the DVD gave no ./configure directory, only the RPM files. Using rpm from a shell revealed a circular dependency in the files. CORE01 fails to install because it depends on CORE02 to CORE08, and CORE02 to CORE08 fail to install because they depend on CORE01. I am running Mandrake Linux 9.1 as provided with LXF41. I ran rpm straight from my home directory where I'd saved the RPM files. </question>

<answer> How were you running the rpm command? If you try to install each file separately, it will fail because, as you have discovered, the RPMs are interdependent. The rpm command is capable of handling this situation, but only if you pass it all the files at once. rpm -Uhv *.rpm will install all the RPMs at the same time. Make sure there are no other RPM files present ­ it is safest to copy them to their own directory. </answer>

<title>QuickTime plugins</title>

<question>I installed SUSE 10.0 OSS from LXF74: it was easy to install and you get free office stuff, but I cannot find an Apple QuickTime plugin for Firefox. I did try the Quicktime4Linux plugin, but it didn't work (it did until they released QuickTime 7.0). The Apple site assumes you either have Mac OS or Windows. Anyhow, I find it really hard to believe Apple does not port a plugin across, since OS X basically runs on a Linux kernel. Unless you know of an alternative site to the QuickTime trailer site, I find myself in a little bit of a pickle. </question>

<answer> The MPlayer plugin for Mozilla works with Firefox too (http://mplayerplug-in.sourceforge.net). This lets you view any file that MPlayer can handle in the browser, including many (though not all) QuickTime files. Many of the later movies use the Sorensen codec, which is a proprietary codec that will not be supported by any open source project ­ unless it can be reverse engineered. Alternatively, try CrossOver Office. This development of Wine enables you to use Windows plugins in Linux browsers, as well as run various Windows programs directly on the Linux desktop. CrossOver Office is available from www.codeweavers.com/site/products/cxoffice and the standard version costs $39.95. Incidentally, Mac OS X is not based on Linux but a BSD variant. </answer>

<title>Broken promises?</title>

<question>I'm using CentOS (based on RHEL), and I cannot get my Promise SATA card (with attached 500GB disk) to work properly. The latest driver on Promise's website is for an older kernel and doesn't work. I have emailed Promise 20­ 30 times and I always get a default email reply, but no help at all. Also, I'm planning to buy an IBM laptop, but I want to scratch away Windows XP and install Linux. Can you advise me on which distro I should use ­ which distro supports IBM laptops with all its, drivers and so on? </question>

<answer> I have a Promise SATA controller in this computer, so I know they work. The reason Promise only has drivers for older kernels on its website is that they were incorporated into later kernels, so a separate driver is no longer needed. The chances are that your kernel has been compiled without support for your particular controller, so you may need to recompile it. If you have never compiled your own kernel before, it may seem a daunting task, but it's really quite straightforward. The main thing to remember is that you should install the new kernel alongside the old one, not overwrite it, so you still have your old setup as a fallback option. There are various HOWTOs on kernel compilation, such as the one at www.digitalhermit.com/linux/ Kernel-Build-HOWTO.html. As for which distribution to install, IBM laptops are about the best supported in Linux, so any distro should work with your hardware ­ that means you can make your choice based on which one you prefer to use rather than which one works. Most distros have some form of Live CD or DVD available, so you can try out a few before you decide which one to install. See the Distrowatch section on page 34 for details of what's new. </answer>