Answers 79

From LXF Wiki

Answers 79

<title>Two at once</title>

<question>I have a Dell Precision M60 running SUSE 10.0. Unfortunately, I (and apparently everyone else posting to Google-able sites) cannot connect to an external monitor. I have tried an older Dell analogue tube monitor, as well as a brand-new Sony KLV-S23A10 flat panel TV with a PC connection. I have tried direct connection (no extension cords) from PC to this monitor as well as to an older analogue unit at work. The laptop uses Fn+F8 to switch between internal and external video; invoking this typically hangs the machine. I've examined the BIOS settings (F2 on boot) and tried both video source settings, System and Dock... I have followed various HOWTOs and examined my xorg.conf, to include adding new Monitor and Display and Screen modules... I have changed my resolution, HSync and Vsync settings to match the acceptable range of the monitor (1280x768, 47.4H and 60V being the recommended values)... No success. A Yast hardware scan does not find the monitor anywhere. A similar unit (Dell Latitude) at work that runs Windows XP is able to find an external monitor without problem, so it must be a problem with the Linux kernel, or at least the SUSE implementation thereof. </question>

<answer>Does trying to switch between the video outputs actually hang the machine, or does it just appear to hang because all output is now going to a non-existent device? If the latter, Fn+F8 should switch back to the internal display. X.org has a way to use two monitor outputs at once, called MergedFB. This can be used in the same way you'd use Xinerama to span a desktop across two monitors, but it also has a `clone' mode, which puts the same display on both monitors. This is the mode to use when you want to output a laptop's display to a desktop monitor or projector. You'll need to add the following lines to the Device section of /etc/X11/xorg.conf:

   Option "MergedFB" "auto"
   Option "CRT2Position" "clone"
   Option "MetaModes"
   "1024x768 800x600 640x480"

The first line saves switching X.org configurations whenever you want to use an external monitor ­ the system switches to MergedFB if a monitor is detected when X starts. The second line makes the display on the external monitor a clone of the first. The third is a list of supported display modes, so should be the same as the Modes lines in the Screen section. If you don't have any Modes lines, just enter the mode that you usually display at to get you started, provided the external monitor also supports this mode. You may need to set your BIOS to send video both to internal and to external displays. Your Precision laptop uses an ATI Radeon chipset, and I know that the X.org driver for this definitely supports MergedFB as I use it on my iBook. There is a lot more information on setting up and using MergedFB, for cloned or dual-head displays, in the dual-head tutorial from LXF68 and at www.winischhofer.at/linuxsispart2.shtml#mergedfbmode. </answer>

<title>Lost and headless</title>

<question>I set up a remote desktop (through Xandros Control Centre) on a now headless box, and now I can't remember the password. Some Googling showed up nothing useful (the VNC website says to use Vncpasswd ­ however, it doesn't exist on the box). I cannot attach a monitor to the box, so have no way of launching Xandros Control Centre to reset. I think Xandros just uses standard KDE remote sharing; how do I reset the password from the command line? </question>

<answer> Provided the headless box is running an SSH server, there are a couple of ways to reset the password. If it is using the standard KDE desktop sharing, you could edit ~/.kde/share/config/krfbrc and remove any password lines. This will reset it to password-less operation. Then you can connect and set the password through the KDE Control Centre. Alternatively, you could connect to the box using ssh with the -X option, then run kcontrol. Provided SSH on the headless box is configured to allow X -forwarding, the KDE Control Centre will open on your desktop and you can change the password as if you were working directly on the computer. If you run KDE on the computer you use to connect to the box, I'd recommend you allow it to store the password in the KDE Wallet Manager (Kwalletmanager) the next time you connect. Then you won't have to worry about forgetting it again... unless you go and forget the wallet password. </answer>

<title>Fedora packages</title>

<question>I am about to give Fedora Core 4 a try as it looks extremely interesting. However, I am at a loss as to what repositories exist for it. I know about the Fedora Extras repository and the Livna one, but I've read multiple sources on the web saying that others are available. Some people have said that you should avoid mixing these other repositories with Livna and Extras. Could you tell me which repositories are the most commonly used and contain the most packages available for FC 4, the 386 version? </question>

<answer>You have already mentioned the Livna repository at http://rpm.livna.org. Another one worth using is FreshRPMs at http://freshrpms.net. While most repositories contain compatible packages, it is true that there are some clashes between them, caused by different methods of packaging the same software. The safest approach is to install a tested Yum configuration that contains only repositories known to work together. You can get one such from the Unofficial Fedora FAQ at www.fedorafaq.org/#yumconf. Follow the instructions on this page and Yum will be configured with several compatible repositories, including Dag, Dries and redhat-kde in addition to the repositories you've already mentioned. This should give you the widest possible choice of software while avoiding any clashes. </answer>

<title>Special RPMs</title>

<question>I administer a Red Hat Enterprise Linux 4 server that is used to host mail and web for ten production domains. I use all stock RPMs to avoid complications with updates coming in through our systems management platform, Red Hat Network (RHN). Recently I've been asked to recompile PHP with Mcrypt support, but doing so would mean recompiling PHP every time Red Hat releases updates on these RPMs. Is there any way to incorporate Mcrypt support in PHP without having to constantly rebuild my own RPMs or add `php*' to up2date's pkgSkipList? </question>

<answer>You're in luck! I recently came across a project called PHPRPMs (http://phprpms.sourceforge.net), which provides PHP RPMs for little used or non-GPL extensions. The project's RPMs are currently available for Fedora Core 2­ 4, RHEL 3, and RHEL 4 (i386 and x86_64). Once you've downloaded the appropriate php-mcrypt RPM for RHEL 4, simply install the package using the rpm command. A restart of the httpd service would be normally be required, but the installation of the php-mcrypt RPM will do this for you. If you don't have libmcrypt installed (libmcrypt is required to use php-mcrypt), you can download the latest RPM for RHEL 4 from http://dag.wieers.com/packages/libmcrypt. This way, instead of having to forego updates via RHN or having to rebuild PHP RPMs when new updates are released by Red Hat, you can simply check these two sites every once in a while for libmcrypt and php-mcrypt RPM updates. </answer>

<title>Autopackage</title>

<question>I have been wanting to install Autopackage1.0 from LXF69, but don't have a clue how to do so as your magazine does not tell me how. I have it in my home folder and the command tells me it is a directory, but what next? Do you treat this like a tar file or is there some other wizardry I have to do? I would so like to use Autopackage as it seems to be an answer to my prayers for easy installs. I can install RPMs OK but can never get a tar to work. My distro is Mandrake10.1 PowerPack. </question>

<answer> Autopackage is designed to be so easy to use that you don't even need to install it. As soon as you try to install something from a .package file (an 'Autopackage'), it will download the latest files it needs before installing, first asking your permission. You don't even need to copy the Autopackage to your hard disk. This is mentioned in the documentation in the coverdisc's Autopackage directory. To see how it works, open a terminal and type su - to become root, then

bash /mnt/cdrom/Magazine/HotPicks/
Autopackage/autopackage-qt-1.0.x86.package

It will ask whether you want it to download Autopackage support files. Answer `Y' and it will do it this one time, installing the support files for future use. Then it will proceed to install the package. Installing from tarballs can require a little patience the first time, but it gets easier. Unpack the tarball with one of these lines, depending on the type of tarball (gzip or bzip2):

tar xzf somepackage.tar.gz 
tar xjf somepackage.tar.bz2

You may find files named README and INSTALL in the directory containing the unpacked files. These will normally explain how to go about installing the software. The most common stumbling block when installing from source on an RPM-based distro like Mandrake, is that the ./configure stage throws up errors about libraries not being installed, when your package manager clearly shows that they are there. This is because RPM packages are normally split into two files: a standard RPM containing the program or library, and a `-devel' RPM containing the library header files. These are not needed to use the program, but you will need them if you want to compile new software against it. So if configure complains about missing libfoo, check that libfoo-devel is also installed. </answer>

<title>Sudos and don'ts</title>

<question>I have been trying to create a script to automate various processes. However, I can't figure out how to run certain parts of the script as root, and other parts as my normal user. I don't want to run the entire script as root, just the odd section. I tried just using the su command, and then realised that I was now a totally different user and no longer executing my script. I realise su isn't the best idea, but for testing purposes it's fine. Is there a way to do this? Am I nuts for even thinking about using su in a script? My second idea was to start another shell as root; however, I'm not entirely sure how to do that from a script. </question>

<answer>The su command starts a new shell process as a different user, so the script running it stops until that shell is closed. Using su in a script is a bad idea, and is often blocked because of the security risks. The safer option is to use sudo. This allows individual commands to be run by specified users, without them needing to know the root password. By default, sudo requires the user to enter their own password, but it is possible to allow some commands to be run without giving a password, which may suit your script. Specify the full path to the commands that you want the user to be able to run in the /etc/sudoers file, and specify `NOPASSWD' if you do not want the script to stop to prompt for your password. Here is a typical entry that allows one user to mount and unmount filesystems without giving a password:

fred ALL = NOPASSWD: /bin/mount,/bin/umount

Note the comment at the top of the /etc/sudoers file ­ it should be edited with the visudo command, not loaded directly into an editor. Run visudo as root and it will load the file into whatever program you have defined in $EDITOR. You can change this at the time you run visudo with, for example

EDITOR=kate visudo

The reason for doing it this way is that visudo copies /etc/sudoers to a temporary file, loads that into your editor, then checks that your syntax is correct before copying the altered file back. It stops typo-inserting pixies breaking your system, which is considered by most experts to be A Good Thing. </answer>

<title>How to manage logs</title>

<question>I have a few scripts that I run, and I want to generate debug logs that I can occasionally turn on and off. Do you have any suggestions for me? </question>

<answer> Have you considered using Syslog to generate and manage your logs for you? PHP, C and Perl all contain a library for sending Syslog messages to the configured log host. From there, you can configure Syslog to log specific messages to a separate file and update Logrotate to rotate them for you. Firstly, add a new selector (left-hand side) and destination log file (right -hand side) in /etc/syslog.conf and restart Syslog. The selector is made up of two items: the facility and severity. The facility can only be one of local1­local7 not already defined.In this case, I have chosen local3 and want to log all messages.

# newprog
local3.* /var/log/newprog.log
root$ service syslog restart

If I wanted to only log error (err) messages and worse, syslog.conf would instead contain

# newprog
local3.err /var/log/newprog.log

Now confirm that Syslog is working by running the following and checking the output of the log file:

$ logger -p local4.err test message
$ tail -f /var/log/newprog.log
Jan 31 1  1:46:40 host user: test message

Once you have confirmed Syslog is working, you can now configure Logrotate to log rotate your new log file using the previously defined Logrotate rules by updating the configuration file to include the new log file. Under Red Hat Enterprise Linux, you will need to update /etc/logrotate.d/syslog, adding /var/log/newprog.log' to the first line of the config file. Now all you need to do is call Syslog within your code, using the selector that you previously added to syslog.conf (remember we used local3) providing a severity level. At a later stage, you can then turn off partial logging by adding a higher severity to the Syslog configuration as described above. More information on Syslog and adding Syslog calls to PHP, C, Perl and Bash can be found in the following documentation. Man pages: Sys::Syslog (3pm) Unix::Syslog (3pm) logger (1) syslog (2) I'd also recommend you look at http://php.net/syslog. </answer>

<title>Blue skype</title>

<question>I have acquired a new mobile phone with Bluetooth. It also has a Bluetooth hands-free headset. Can I sync this with my computer? To make me really happy, can you tell me if it is possible to use the headset with Skype, or any other internet phone software? And if so, how? </question>

<answer>The first thing you will need is a Bluetooth adaptor, unless your computer has this built in. These are available for a few pounds from most computer dealers, or eBay of course. You will need to install the bluez package, available for most distros, to provide Bluetooth drivers and tools. If you are running the KDE desktop run kbluetoothd, which provides an icon in the System Tray that shows when Bluetooth devices are connected. Clicking this icon gives you access to these devices. There are a few programs that will sync with a mobile phone to back up/ restore your contacts. If it is a Nokia phone, you are probably best served with Gnokii, also available in most distros or from www.gnokii.org. For a more brand-independent approach, you could try KMobileTools from http://kmobiletools.berlios.de.package for your distro, the as a While this may be available most recent packaged version is quite out of date. To get features such as backing up and restoring phonebooks, you need to build the latest version from the project's Subversion repository. Don't worry if you haven't done this before ­ it is a simple procedure and the KMobileTools website has a step-by-step HOWTO. Using your Bluetooth headset with Skype is also possible, but once again the software you need is unlikely to be included in your distro. The Bluetooth- alsa project ­ http://bluetooth-alsa.sourceforge.net ­ provides a way to use a Bluetooth headset as an ALSA device. That is, it appears to the system as a soundcard. You can then tell Skype, or any other program, to use this `soundcard'. You can even listen to your MP3 collection via your Bluetooth headset, but don't expect much in the way of quality. Download and install the software as described on the project's website. Then put your headset into pairing mode and run the following commands to connect the headset:

modprobe -v snd_bt_sco
esdctl stop
hcitool scan
btsco [address]

The address for the final command is the address printed by hcitool scan. It will be something like 00:13:EF:00:09:44. Now you can test the headset with

ls -l /proc/asound
aplay -D plughw:Headset
somesound.wav

The first command should show an entry for Headset, and the second will play the specified file through it. Once everything is working, you can automate most of this. Add the module to your distro's modules configuration file (usually /etc/modprobe.conf or /etc/modules.conf). Find the line that starts `alias snd-card-0' and add this after it:

alias snd-card-1 snd_bt_sco

The esdctl and btsco commands can be added to a short script you run whenever you want to pair your headset, like so:

#!/bin/sh
esdctl stop
btsco 00:13:EF:00:09:44

Though it should use the address of your headset, not mine! </answer>

<title>Secure my Server</title>

<question>I am responsible for a web and FTP server running Red Hat Enterprise Linux 4. I have been administering the server and recently configured Logwatch to send me reports. I found entries in the reports that worry me, mainly authentication failures and invalid users. I get these entries every single day, but the IP address and number of attempts change each time. It seems to me that these are attempts to log in to my system using different combinations of usernames and password. Is there anyway to stop these annoying attacks on my server? What actions would you recommend to secure my server? </question>

<answer> You are right! The entries you see in Logwatch are automated break-in attempts that try to find a valid user name/password on your server in order to gain local access. There are numerous security configurations that you can use to harden your sshd server. The configuration file of the OpenSSH server is /etc/ssh/sshd_config. Let's take a look at it. While you could set the AllowUsers parameter to allow only a limited number of users to log in, this is hard to manage when you have lots of users on your system, as is the case with a typical FTP server. Attackers can still try to guess the password for any users that are allowed to log in, but if using this option on your server is feasible, then I recommend you do use it. Also, you can disable root logins via ssh by using the option:

PermitRootLogin no

Use strong passwords, and to prevent passwords being guessed I'd recommend not using password authentication at all. You can generate private/public keys for your system users using ssh-keygen; manage keys with ssh-agent/ssh-add and disable password authentication. There are other configurations; you can, for example, reduce the number of connections your sshd server gets by changing the default port. Most automated attacks will only check port 22, so changing to a different port will decrease the number of hits you get on the Logwatch report ­ try Port 222 in the config file. You should only allow version 2 of the SSH protocol: version 1 has known vulnerabilities and should not be used. And make sure that no one can log in using an empty password, by amending the file to `PermitEmptyPasswords no'. After you've saved changes to the sshd configuration file, the sshd server needs to be restarted for the settings to take effect. These suggestions will thwart most attacks. However, they are static rules that do not adapt to the changing nature of the attack. Also, there might be specific reasons that prevent you from using public key cryptography. There are numerous open source solutions (Sshdfilter, Blockhosts and so on) for this problem, using different tools to do the job: PortSentry, Iptables, Tcpwrappers etc. I will focus on DenyHosts (http://denyhosts.sourceforge.net) since it uses Tcpwrappers, which is available in most Unix systems. In order to use Tcpwrappers, sshd needs to be compiled with libwrap support. Almost all sshd servers deployed are compiled this way but you can verify your specific version using a command like

# ldd /usr/sbin/sshd |grep libwrap
      libwrap.so.0 => /usr/lib/
libwrap.so.0 (0x00140000)

DenyHosts is written in Python, so you will need the Python interpreter installed on your system. In Red Hat you can accomplish this by running

# up2date -i python

Now you should download the actual DenyHosts package. Since you are running RHEL 4, you can install the RPM version with

rpm -ivh http://kent.dl.sourceforge.
net/sourceforge/denyhosts/DenyHosts-1.1.3-python2.3.noarch.rpm

DenyHosts comes with a simple configuration file (/usr/share/denyhosts/denyhosts.cfg-dist), which you can use as a template for your system. By default, it is properly configured for Red Hat-based systems. The relevant options you may want to edit are:

PURGE_DENY = 1w

Specifies how old blocked entries need to be when DenyHosts is invoked with the --purge flag.

DENY_THRESHOLD_INVALID = 5

Number of failed login attempts for invalid users to trigger blocked connections.

DENY_THRESHOLD_VALID = 10

Number of failed login attempts for valid users to trigger blocked connections If you want to be notified by email of new blocked hosts, you can specify your address in the ADMIN_EMAIL = webmaster@example.com' line The configuration file is extremely well documented and is not hard to interpret. Once you have decided on your particular options, copy this file to /etc/denyhosts.cfg. Now we need to edit the init script (/usr/share/denyhosts/daemon-control-dist) to reflect our system settings. In this case we just need to indicate which configuration file to use:

DENYHOSTS_CFG = "/etc/
denyhosts.cfg"

And install the init script with

# cp /usr/share/denyhosts/daemon-
control-dist /etc/init.d/denyhost
# chmod +x /etc/init.d/denyhost
# chkconfig denyhost on

Now it is just a matter of running the DenyHosts daemon with

# /etc/init.d/denyhost start &

If you have any break-in attempts on your current /var/log/secure log file, DenyHosts will populate /etc/hosts.deny accordingly, blocking out the offending IP addresses!

#tail -n3 /etc/hosts.deny
sshd: 66.34.205.1
sshd: 64.34.193.58
sshd: 220.1  17.241.3
sshd: 218.85.1   19.83

A notification email will also be sent to the ADMIN_EMAIL that you specified above. Server security, and sshd security in particular, is widely dealt with online and you may want to do a web search on "defending against brute force ssh attacks" for extra information. </answer>

<title>Something fishy</title>

<question>I know it's rather sad but I should like to be able to set up Xfishtank to act as a background. I use Free Mandriva 2006 with KDE and have installed the Xfishtank software from an RPM. However, the best I have achieved is a fleeting glimpse of the fish tank when I switch the computer off. All I get otherwise is my usual KDE background or screensaver. How do I get to see the little fishies? </question>

<answer> KDE runs its own root window on top of the normal X root window (the desktop background), so programs that normally display their output on the root window are hidden. The glimpse you see is the brief interval between KDE shutting down and X quitting, when the X root window is visible. Fortunately, there is an extremely easy solution. Right-click on the desktop and select Configure Desktop from the menu that appears. Go into the Behaviour section and enable Allow Programs In Desktop Window. This assumes that you have not changed the default action for right-clicking on the desktop. You can also change this setting from the Desktop > Behaviour section of the KDE Control Centre. </answer>

<title>No Debian desktop</title>

<question>I have this day installed Debian 3.1 from the free disc package that came with your September issue [LXF70]. After some mucking about I finally got the first disc installed, and all I would like now is to be able to open the system up so that I can continue. At logon I put in my username, press Enter, then password, Enter... and all that happens is that a new line with `david@debian~$:' appears. What have I done wrong or forgotten to do, and what do I do next? What's the magic word? Obviously I am new to this system and hope I have done the right thing by bothering to install it. </question>

<answer>You have only installed the basic package set, which does not include a graphical desktop. During the second stage of the installation, after the reboot, you are asked to choose from a selection of software collections. The first in this list is called Desktop Environment. If you're following the installation procedure it will look like this is pre-selected, because the cursor is in the selection box to the left of the name, but it is not ­ package groups are only installed when there is a star in the box. You need to explicitly select the groups you want by moving the highlight bar over them and pressing Space. If you simply press Enter at this stage without selecting anything, you will end up in exactly the frustrating situation that you describe. However, there is no need to panic or reinstall. Log in as root ­ using the root password you gave during installation ­ and type aptitude to load the Debian package manager. Highlight Tasks and press Enter; move down to End -user and press Enter; then highlight Desktop Environment and press `+' to select it. You can press G to see what will be installed and G again to begin installation. This will install both the KDE and Gnome graphical desktops; you will be able to choose which you use the first time you log in. There are a few basic configuration questions to answer (the defaults are fine if you are unsure) then you will also be asked some questions to help configure the graphical display. These questions are the same as you would have been asked during installation, had you selected the desktop option. Once the installation (which will take several minutes) has finished, your desktop should load the next time you boot up. </answer>