GNU'Linux or Linux operating system is free which is very popular for computers.
The term Linux or GNU / Linux (GNU) digunakin also as a reference to keseluzuhan Linux distro (Linux distribution), which is included in other programs supporting the operating system. Sample programs are web servers, programming languages, database, display desktop (Desktop Environment) (such as GNOME and KDE), and office applications (office suite), such as OpenOffice.org, KOffice, AbiWord, Gnumeric.
Linux distributions that have experienced rapid growth in terms of popularity, so the more popular versions of UNIX systems that use license and paid (proprietary) and the free version of UNIX that was originally rival Microsoft Windows dominance in the few.
Linux supports a lot of computer hardware, and has been in various digunakin equipment from personal computers, and superkomputer system benam (embedded systee), such as mobile phone (Ponsel) and personal video recorder.
Initially, Linux is created, developed, and used by peminatnya only. Linux now has support from major corporations such as IBM and Hewlett-Packard. These observers think the success of information technology, this is because Linux does not depend on the vendor (vendor independence), a low operational cost, and compatibility of a high than proprietary versions of UNIX, and security factors and kestabilannya compared with Microsoft Windows. The characteristics of this evidence is also a top model of the development benefits of open source software (opensource software).
This guide explains how to set up an NFS server and an NFS client on Debian Lenny. NFS stands for Network File System; through NFS, a client can access (read, write) a remote share on an NFS server as if it was on the local hard disk.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
I'm using two Debian systems here:
* NFS Server: server.example.com, IP address: 192.168.0.100
* NFS Client: client.example.com, IP address: 192.168.0.101
2 Installing NFS
server:
On the NFS server we run:
apt-get install nfs-kernel-server nfs-common portmap
client:
On the client we can install NFS as follows:
apt-get install nfs-common portmap
3 Exporting Directories On The Server
server:
I'd like to make the directories /home and /var/nfs accessible to the client; therefore we must "export" them on the server.
When a client accesses an NFS share, this normally happens as the user nobody. Usually the /home directory isn't owned by nobody (and I don't recommend to change its ownership to nobody!), and because we want to read and write on /home, we tell NFS that accesses should be made as root (if our /home share was read-only, this wouldn't be necessary). The /var/nfs directory doesn't exist, so we can create it and change its ownership to nobody and nogroup:
mkdir /var/nfs
chown nobody:nogroup /var/nfs
Now we must modify /etc/exports where we "export" our NFS shares. We specify /home and /var/nfs as NFS shares and tell NFS to make accesses to /home as root (to learn more about /etc/exports, its format and available options, take a look at
man 5 exports
)
vi /etc/exports
# /etc/exports: the access control list for filesystems which may be exported |
(The no_root_squash option makes that /home will be accessed as root.)
Whenever we modify /etc/exports, we must run
exportfs -a
afterwards to make the changes effective.
4 Mounting The NFS Shares On The Client
client:
First we create the directories where we want to mount the NFS shares, e.g.:
mkdir -p /mnt/nfs/home
mkdir -p /mnt/nfs/var/nfs
Afterwards, we can mount them as follows:
mount 192.168.0.100:/home /mnt/nfs/home
mount 192.168.0.100:/var/nfs /mnt/nfs/var/nfs
You should now see the two NFS shares in the outputs of
df -h
client:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg0-root 19G 676M 17G 4% /
tmpfs 253M 0 253M 0% /lib/init/rw
udev 10M 80K 10M 1% /dev
tmpfs 253M 0 253M 0% /dev/shm
/dev/sda1 471M 20M 427M 5% /boot
192.168.0.100:/home 29G 684M 27G 3% /mnt/nfs/home
192.168.0.100:/var/nfs
29G 684M 27G 3% /mnt/nfs/var/nfs
client:~#
and
mount
client:~# mount
/dev/mapper/vg0-root on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
192.168.0.100:/home on /mnt/nfs/home type nfs (rw,addr=192.168.0.100)
192.168.0.100:/var/nfs on /mnt/nfs/var/nfs type nfs (rw,addr=192.168.0.100)
client:~#
5 Testing
On the client, you can now try to create test files on the NFS shares:
client:
touch /mnt/nfs/home/test.txt
touch /mnt/nfs/var/nfs/test.txt
Now go to the server and check if you can see both test files:
server:
ls -l /home/
server:~# ls -l /home/
total 4
drwxr-xr-x 2 administrator administrator 4096 2009-02-16 13:18 administrator
-rw-r--r-- 1 root root 0 2009-03-12 17:08 test.txt
server:~#
ls -l /var/nfs
server:~# ls -l /var/nfs
total 0
-rw-r--r-- 1 nobody nogroup 0 2009-03-12 17:08 test.txt
server:~#
(Please note the different ownerships of the test files: the /home NFS share gets accessed as root, therefore /home/test.txt is owned by root; the /var/nfs share gets accessed as nobody, therefore /var/nfs/test.txt is owned by nobody.)
6 Mounting NFS Shares At Boot Time
Instead of mounting the NFS shares manually on the client, you could modify /etc/fstab so that the NFS shares get mounted automatically when the client boots.
client:
Open /etc/fstab and append the following lines:
vi /etc/fstab
[...] |
Instead of rw,sync,hard,intr you can use different mount options. To learn more about available options, take a look at
man nfs
To test if your modified /etc/fstab is working, reboot the client:
reboot
After the reboot, you should find the two NFS shares in the outputs of
df -h
client:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg0-root 19G 676M 17G 4% /
tmpfs 253M 0 253M 0% /lib/init/rw
udev 10M 80K 10M 1% /dev
tmpfs 253M 0 253M 0% /dev/shm
/dev/sda1 471M 20M 427M 5% /boot
192.168.0.100:/home 29G 684M 27G 3% /mnt/nfs/home
192.168.0.100:/var/nfs
29G 684M 27G 3% /mnt/nfs/var/nfs
client:~#
and
mount
client:~# mount
/dev/mapper/vg0-root on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
192.168.0.100:/home on /mnt/nfs/home type nfs (rw,sync,hard,intr,addr=192.168.0.100)
192.168.0.100:/var/nfs on /mnt/nfs/var/nfs type nfs (rw,sync,hard,intr,addr=192.168.0.100)
client:~#
7 Links
- Linux NFS: http://nfs.sourceforge.net
- Debian: http://www.debian.org
Read More......
Do you often need to reconnect due to download purposes or forward ports manually because some applications don't support it natively? Then this is the right thing for you! This howto covers a Perl script allowing you to administrate your gateway device via UPnP. You can reconnect, add and remove port forwarding entries and many more.
This Perl script allows you to do the following things:
* Trigger a reconnect
* Print all information your gateway offers
* Add a port forwarding entry
* Remove a port forwarding entry
* Print a port forwarding entry
* Print a list of all port forwarding entries
* Remove all port forwarding entries
* Enable or disable internet access globally
Installation
If you want to give it a try, follow these steps to install the script.
1. Copy the script to a file
You can find the script at the bottom of this article. Open your favorite editor and paste the script. Save it to ~/igdctl.pl.
Make the script executable by executing this command:
chmod +x ./igdctl.pl
2. Install a perl module
This script needs a perl module called Net::UPnP to work correctly. Run the following command in a terminal:
sudo apt-get install -y libnet-upnp-perl
This works only with DEB based systems. For RPM based systems you need a different installation command.
Triggering a reconnect
If you want your DSL router to get a new IP address just execute following command:
./igdctl.pl -r
Explanation: The script automaticly looks for an internet gateway device. -r tells the script to send a ForceTermination signal to the gateway.
Print information
You can print all information the gateway offers via UPnP. Use the following command:
./igdctl.pl -p
Explanation: -p tells the script to call some information returning procedures the device offers.
Adding a port forwarding entry
This procedure is needed if you want to use a program which don't support port forwarding via UPnP or NAT natively. Of course you could setup the port forwarding via the gateway's web interface, but the way described here is more comfortable.
The syntax is quite easy:
./igdctl.pl -a -e PORT -i PORT -E REMOTE -I CLIENT -P [TCP|UDP]
Explanation: -a tells the script to add a port mapping entry. -e tells the external port number and -i the internal one. In most cases the port numbers are equivalent. -E tells the remote host. This parameter is optional – in most cases it is left out. -I tells the client address. -P tells the protocol which can be TCP or UDP.
./igdctl.pl -a -e 4332 -i 4332 -I 192.168.0.5 -P TCP
Explanation: This command will setup a TCP port forwarding from the external port 4332 to the internal port 4332 of the client 192.168.0.5.
Removing a port forwarding entry
If you want to remove a port forwarding entry you previously added you can use the remove procedure.
The syntax is as easy as the one above:
./igdctl.pl -R -e PORT -E REMOTE -P [TCP/UDP]
Explanation: span class="system">-R tells the script to remove a previously added port mapping entry. -e tells the external port number. You don't have to specify the internal port number. -E tells the remote host. This parameter is optional. -P tells the protocol which can be TCP or UDP.
./igdctl.pl -R -e 4332 -P TCP
Explanation: This command will remove the previously added port mapping entry (see above).
Printinig a port forwarding entry
You can print information about a port forwarding entry by external port number, remote host and protocol.
The syntax is almost equal to the remove syntax:
./igdctl.pl -g -e PORT -E REMOTE -P [TCP/UDP]
Explanation: span class="system">-g tells the script to print information about a previously added port mapping entry. -e tells the external port number. -E tells the remote host. This parameter is optional. -P tells the protocol.
./igdctl.pl -g -e 4332 -P TCP
Explanation: This command will print the previously added port mapping entry (see above).
Printing a list of all port forwarding entries
If you want to get an overview of all ports being forwarded to clients, use this procedure.
./igdctl.pl -l -I CLIENT
Explanation: -l-I tells the client address. This is optional. Use this if you only want to print entries belonging to a specific client.
./igdctl.pl -l -I 192.168.0.5
Explanation: This will print out all port forwarding entries by 192.168.0.5
Removing all port forwarding entries at once
Quite useful if you want to remove all port forwarding entries globally or by a specific client.
./igdctl.pl -c -I CLIENT
Explanation: -c-I tells the client address. This is optional. Use this if you only want to remove entries belonging to a specific client.
./igdctl.pl -c -I 192.168.0.5
Explanation: This will remove all port forwarding entries by 192.168.0.5
Enabling or disabling internet access globally
You can enable or disable internet access globally if your gateway manufacturer has implemented this functionality.
WARNING: This functionality is almost unimplemented. Don't worry if you get an error.
./igdctl.pl [--enable|--disable]
Explanation: I think the syntax is self-explaining. --enable or --disable tells the script to enable or disable internet access globally.
Listings
igdctl.pl
#!/usr/bin/perl
#########################################################################################
#
# igdctl -:- Internet gateway device administration tool written in perl
#
# VERSION: 0.1
# AUTHOR: Vincent Wochnik
# EMAIL: v.wochnik@yahoo.com
# WWW: ubuntu.blogetery.com
# COPYRIGHT: (c) by Vincent Wochnik 2009
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
#
#########################################################################################
use strict;
use Getopt::Long;
use Net::UPnP::Device;
use Net::UPnP::ControlPoint;
## allow bundling of command line options
Getopt::Long::Configure('bundling');
##
## PARSE COMMAND LINE OPTIONS
##
my $help = 0;
my $verbose = 0;
my $action_print = 0;
my $action_enable = 0;
my $action_disable = 0;
my $action_reconnect = 0;
my $action_add_port = 0;
my $action_get_port = 0;
my $action_remove_port = 0;
my $action_list_ports = 0;
my $action_clear_ports = 0;
my $devnum = -1;
my $external_ip = '';
my $external_port = '';
my $internal_ip = '';
my $internal_port = '';
my $protocol = '';
my $duration = '';
my $active = 1; ## flag is set by default
if (!GetOptions('h|help', => \$help,
'v|verbose', => \$verbose,
'p|print' => \$action_print, ## print statistics
'r|reconnect' => \$action_reconnect, ## reconnect
'enable' => \$action_enable, ## enable internet access
'disable' => \$action_disable, ## disable internet access
'a|add-port' => \$action_add_port, ## add port mapping
'g|get-port' => \$action_get_port, ## get a port by external host, ip and protocol
'R|remove-port' => \$action_remove_port, ## remove port mapping
'c|clear-ports' => \$action_clear_ports, ## clear port mapping list
'l|list-ports' => \$action_list_ports, ## list port mappings
'd|device=i' => \$devnum, ## device number
'E|external-ip=s' => \$external_ip, ## external ip address
'e|external-port=i' => \$external_port, ## external port
'I|internal-ip=s' => \$internal_ip, ## client ip address
'i|internal-port=i' => \$internal_port, ## internal port
'P|protocol=s' => \$protocol, ## protocol (TCP/UDP
'D|duration=i' => \$duration, ## expiration time
'A|active=i' => \$active)) { ## active flag
$help = 1;
}
if ($action_print+$action_enable+$action_disable+$action_reconnect+$action_add_port+$action_get_port+$action_remove_port+$action_clear_ports+$action_list_ports > 1) {
## No multiple action parameters!!!
$help = 1;
} elsif ($action_print+$action_enable+$action_disable+$action_reconnect+$action_add_port+$action_get_port+$action_remove_port+$action_clear_ports+$action_list_ports == 0) {
## No action parameter found!!!
$help = 1;
} elsif ($action_print+$action_enable+$action_disable+$action_reconnect == 1) {
## Some action parameters don't require additional parameters
if (($external_ip) || ($external_port) || ($internal_ip) || ($internal_port) || ($duration)) {
$help = 1;
}
} elsif ($action_add_port+$action_get_port+$action_remove_port+$action_clear_ports+$action_list_ports == 1) {
## Check if all parameters are valid
if (
((($action_add_port) || ((($action_clear_ports) || ($action_list_ports)) && ($internal_ip))) && ($internal_ip !~ m/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/)) ||
((($action_add_port) || ($action_remove_port) || ($action_get_port)) && ($external_ip) && ($external_ip !~ m/^[0-9*]{1,3}\.[0-9*]{1,3}\.[0-9*]{1,3}\.[0-9*]{1,3}$/)) ||
(($action_add_port) && (($internal_port <> 65535))) ||
((($action_add_port) || ($action_remove_port) || ($action_get_port)) && (($external_port <> 65535))) ||
(($action_add_port) && (($duration) && ($duration < help =" 1;"> and exit 2;
}
## scanning for devices
print STDOUT "Scanning for devices ...\n" if $verbose;
my @devices = get_igd_devices();
my $devcount = length(@devices);
## error handling
print STDERR "No device found.\n\n" and exit 1 if (!@devices);
## if there is only one device, auto-choose
$devnum = 0 if ($devcount == 1);
## if verbose or device number invalid
if (($verbose) || ($devnum <>= $devcount)) {
printf STDOUT 'Found %d ', $devcount;
print STDOUT "device.\n\n" if ($devcount == 1);
print STDOUT "devices.\n\n" if ($devcount != 1);
}
## print list and ask the user if no device number is given per command argument
if (($devnum <>= $devcount)) {
## print device list
list_devices(@devices);
## user choice
while (($devnum !~ m/^[0-9]+$/) || ($devnum >= $devcount)) {
print("Please select a device.\nDevice: ");
chomp($devnum = );
print STDOUT "Invalid choice. Try again!\n" if (($devnum <>= $devcount));
print STDOUT "\n";
}
}
## Get chosen device
my $device = @devices[$devnum];
my $service;
## get service handler
if ($action_enable+$action_disable+$action_print) {
## Get WANIPCommonInterfaceConfig service
$service = $device->getservicebyname("urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1");
print STDERR "WANCommonInterfaceConfig service not avaleble.\n\n" and exit 1 if (!$service);
} else {##if ($action_reconnect+$action_add_port+$action_get_port+$action_remove_port+$action_clear_ports+$action_list_ports)
## Get WANIPConnection service
$service = $device->getservicebyname("urn:schemas-upnp-org:service:WANIPConnection:1");
print STDERR "WANCommonInterfaceConfig service not avaleble.\n\n" and exit 1 if (!$service);
}
if ($action_print) {
my $res, my $out_args, my $out="";
## Get internet enabled
print STDOUT "Trying to get internet access state ...\n" if $verbose;
$res = $service->postaction("GetEnabledForInternet");
if ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
$out_args = $res->getargumentlist();
if ($out_args->{'NewEnabledForInternet'}) {
$out .= sprintf('Internet access : enabled'."\n");
} else {
$out .= sprintf('Internet access : disabled'."\n");
}
}
## Get connection properties ...
print STDOUT "Trying to get connection properties ...\n" if $verbose;
$res = $service->postaction("GetCommonLinkProperties");
if ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
$out_args = $res->getargumentlist();
$out .= sprintf('WAN access type : %s'."\n", $out_args->{'NewWANAccessType'});
$out .= sprintf('Maximum upstream rate : %s bps'."\n", $out_args->{'NewLayer1UpstreamMaxBitRate'});
$out .= sprintf('Maximum downstream rate : %s bps'."\n", $out_args->{'NewLayer1DownstreamMaxBitRate'});
$out .= sprintf('Physical link state : %s'."\n", $out_args->{'NewPhysicalLinkStatus'});
}
## Get wan access provider
print STDOUT "Trying to get WAN access provider ...\n" if $verbose;
$res = $service->postaction("GetWANAccessProvider");
if ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
$out_args = $res->getargumentlist();
$out .= sprintf('WAN access provider : %s'."\n", $out_args->{'NewWANAccessProvider'});
}
## Get maximum number of active connections
print STDOUT "Trying to get maximum number of active connections ...\n" if $verbose;
$res = $service->postaction("GetMaximumActiveConnections");
if ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
$out_args = $res->getargumentlist();
$out .= sprintf('Max. number of active connections : %d'."\n", $out_args->{'MaximumActiveConnections'});
}
## Get total bytes sent
print STDOUT "Trying to get total number of bytes sent ...\n" if $verbose;
$res = $service->postaction("GetTotalBytesSent");
if ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
$out_args = $res->getargumentlist();
$out .= sprintf('Total bytes sent : %s'."\n", readable_size($out_args->{'NewTotalBytesSent'}));
}
## Get total packets sent
print STDOUT "Trying to get total number of packets sent ...\n" if $verbose;
$res = $service->postaction("GetTotalPacketsSent");
if ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
$out_args = $res->getargumentlist();
$out .= sprintf('Total packets sent : %d'."\n", $out_args->{'NewTotalPacketsReceived'});
}
## Get total bytes received
print STDOUT "Trying to get total number of bytes received ...\n" if $verbose;
$res = $service->postaction("GetTotalBytesReceived");
if ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
$out_args = $res->getargumentlist();
$out .= sprintf('Total bytes received : %s'."\n", readable_size($out_args->{'NewTotalBytesReceived'}));
}
## Get total packets received
print STDOUT "Trying to get total number of packets received ...\n" if $verbose;
$res = $service->postaction("GetTotalPacketsReceived");
if ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
$out_args = $res->getargumentlist();
$out .= sprintf('Total packets received : %d'."\n", $out_args->{'NewTotalPacketsReceived'});
}
print STDOUT $out."\n" and exit 0 if $out; ## print information
print STDERR "Nothing to print out.\n" and exit 1; ## otherwise print an error
} elsif ($action_enable) { ## OK <-- based on Documentation my $res, my %in_args, my $success=1; %in_args = ('NewEnabledForInternet' => '1');
## Enable internet access ...
print STDOUT "Trying to enable internet access ...\n" if $verbose;
$res = $service->postaction("SetEnabledForInternet", \%in_args);
## error handling
if ($res->getstatuscode() == 401) {
print STDERR "Operation not supported. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} elsif ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
}
print STDOUT "Command successful.\n" and exit 0 if $success;
print STDERR "Command failed.\n" and exit 1;
} elsif ($action_disable) { ## OK <-- based on Documentation my $res, my %in_args, my $success=1; %in_args = ('NewEnabledForInternet' => '0');
## Disable internet access ...
print STDOUT "Trying to disable internet access ...\n" if $verbose;
$res = $service->postaction("SetEnabledForInternet", \%in_args);
## error handling
if ($res->getstatuscode() == 401) {
print STDERR "Operation not supported. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} elsif ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
}
print STDOUT "Command successful.\n" and exit 0 if $success;
print STDERR "Command failed.\n" and exit 1;
} elsif ($action_reconnect) { ## OK <-- based on Documentation my $res, my $success=1; ## Force termination ... print STDOUT "Trying to terminate WANIPConnection ...\n" if $verbose; $res = $service->postaction("ForceTermination");
## error handling
if ($res->getstatuscode() == 501) {
print STDERR "Action failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} elsif ($res->getstatuscode() == 710) {
print STDERR "Invalid connection type. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} elsif ($res->getstatuscode() == 702) {
print STDERR "Disconnect in progress. (WARNING ".$res->getstatuscode().")\n\n" if $verbose;
} elsif ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
}
print STDERR "Command failed.\n" and exit 1 if (!$success);
## Requesting new connection ...
print STDOUT "Requesting new connection ...\n" if $verbose;
$res = $service->postaction("RequestConnection");
## error handling
if ($res->getstatuscode() == 704) {
print STDERR "Connection setup failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} elsif ($res->getstatuscode() == 708) {
print STDERR "Invalid Layer2 address. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} elsif ($res->getstatuscode() == 709) {
print STDERR "Internet access disabled. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} elsif ($res->getstatuscode() == 710) {
print STDERR "Invalid connection type. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} elsif ($res->getstatuscode() == 705) {
print STDERR "Connection setup in progress. (WARNING ".$res->getstatuscode().")\n\n" if $verbose;
} elsif ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
}
print STDOUT "Command successful.\n" and exit 0 if $success;
print STDERR "Command failed.\n" and exit 1;
} elsif ($action_add_port) {
my $res, my %in_args, my $success=1;
%in_args = ('NewRemoteHost' => $external_ip,
'NewExternalPort' => $external_port,
'NewProtocol' => $protocol,
'NewInternalPort' => $internal_port,
'NewInternalClient' => $internal_ip,
'NewEnabled' => $active,
'NewPortMappingDescription' => 'mapped by '.__FILE__,
'NewLeaseDuration' => $duration);
## trying to add port mapping entry
print STDOUT "Trying to add a port mapping entry ...\n" if $verbose;
$res = $service->postaction("AddPortMapping", \%in_args);
## error handling
if ($res->getstatuscode() == 402) {
print STDERR "Invalid args. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} elsif ($res->getstatuscode() == 715) {
print STDERR "Wildcard not allowed in remote host address. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} elsif ($res->getstatuscode() == 716) {
print STDERR "Wildcard not allowed in external port. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} elsif ($res->getstatuscode() == 718) {
print STDERR "Conflicting with another mapping entry. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} elsif ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
}
print STDOUT "Command successful.\n" and exit 0 if $success;
print STDERR "Command failed.\n" and exit 1;
} elsif ($action_remove_port) {
my $res, my %in_args, my $success=1;
%in_args = ('NewRemoteHost' => $external_ip,
'NewExternalPort' => $external_port,
'NewProtocol' => $protocol);
## remove port mapping entry
print STDOUT "Trying to remove a port mapping entry matching specified criteria ...\n" if $verbose;
$res = $service->postaction("DeletePortMapping", \%in_args);
## error handling
if ($res->getstatuscode() == 714) {
print STDERR "Entry not found. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
} elsif ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success = 0;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
}
print STDOUT "Command successful.\n" and exit 0 if $success;
print STDERR "Command failed.\n" and exit 1;
} elsif ($action_get_port) {
my $res, my %in_args, my $out_args, my $out;
%in_args = ('NewRemoteHost' => $external_ip,
'NewExternalPort' => $external_port,
'NewProtocol' => $protocol);
## print port mapping entry
print STDOUT "Trying to print a port mapping entry matching specified criteria ...\n" if $verbose;
$res = $service->postaction("GetSpecificPortMappingEntry", \%in_args);
## error handling
if ($res->getstatuscode() == 714) {
print STDERR "Entry not found. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
} elsif ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
$out_args = $res->getargumentlist();
$out = sprintf('%6s %15s %13s %15s %13s %10s'."\n", 'ACTIVE', 'REMOTE HOST', 'EXTERNAL PORT', 'CLIENT HOST', 'INTERNAL PORT', 'LEASE TIME') if (!$out);
if ($external_ip) {
$out .= sprintf('%6s %15s %13s %15s %13s %10s'."\n", $out_args->{'NewEnabled'}, $external_ip, $external_port, $out_args->{'NewInternalClient'}, $out_args->{'NewInternalPort'}, $out_args->{'NewLeaseDuration'});
} else {
$out .= sprintf('%6s %15s %13s %15s %13s %10s'."\n", $out_args->{'NewEnabled'}, '*', $external_port, $out_args->{'NewInternalClient'}, $out_args->{'NewInternalPort'}, $out_args->{'NewLeaseDuration'});
}
}
print STDOUT $out."\n" and exit 0 if $out; ## print information
print STDERR "Nothing to print out.\n" and exit 1; ## otherwise print an error
} elsif ($action_list_ports) {
my $res, my %in_args, my $out_args, my $i=0, my $out="";
while ($i >= 0) {
%in_args = ('NewPortMappingIndex' => $i);
## search port mapping entry
print STDOUT "Trying to search port mapping entry ...\n" if $verbose;
$res = $service->postaction("GetGenericPortMappingEntry", \%in_args);
## error handling
if ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$i = -1; ## stop loop - there are no more entries
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
$out_args = $res->getargumentlist();
if ((!$internal_ip) || ($out_args->{'NewInternalClient'} =~ m/^($internal_ip)$/)) {
$out = sprintf('%6s %15s %13s %15s %13s %10s'."\n", 'ACTIVE', 'REMOTE HOST', 'EXTERNAL PORT', 'CLIENT HOST', 'INTERNAL PORT', 'LEASE TIME') if (!$out);
if ($out_args->{'NewRemoteHost'}) {
$out .= sprintf('%6s %15s %13s %15s %13s %10s'."\n", $out_args->{'NewEnabled'}, $out_args->{'NewRemoteHost'}, $out_args->{'NewExternalPort'}, $out_args->{'NewInternalClient'}, $out_args->{'NewInternalPort'}, $out_args->{'NewLeaseDuration'});
} else {
$out .= sprintf('%6s %15s %13s %15s %13s %10s'."\n", $out_args->{'NewEnabled'}, '*', $out_args->{'NewExternalPort'}, $out_args->{'NewInternalClient'}, $out_args->{'NewInternalPort'}, $out_args->{'NewLeaseDuration'});
}
}
$i++;
}
}
print STDOUT $out."\n" and exit 0 if $out; ## print information
print STDERR "Nothing to print out.\n" and exit 1; ## otherwise print an error
} elsif ($action_clear_ports) {
my $res, my %in_args, my $out_args, my $i=0, my $success=1;
while ($i >= 0) {
%in_args = ('NewPortMappingIndex' => $i);
## search port mapping entry
print STDOUT "Trying to search port mapping entry ...\n" if $verbose;
$res = $service->postaction("GetGenericPortMappingEntry", \%in_args);
## error handling
if ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$i = -1; ## stop loop - there are no more entries
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
$out_args = $res->getargumentlist();
if ((!$internal_ip) || ($out_args->{'NewInternalClient'} =~ m/^($internal_ip)$/)) {
%in_args = ('NewRemoteHost' => $out_args->{'NewRemoteHost'},
'NewExternalPort' => $out_args->{'NewExternalPort'},
'NewProtocol' => $out_args->{'NewProtocol'});
## remove port mapping entry
printf STDOUT 'Trying to remove port mapping entry number %d...'."\n", $i+1 if $verbose;
$res = $service->postaction("DeletePortMapping", \%in_args);
## error handling
if ($res->getstatuscode() == 714) {
print STDERR "Entry not found. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success=0;
$i = -1; ## stop loop - there is an error
} elsif ($res->getstatuscode() != 200) {
print STDERR "Operation failed. (ERR ".$res->getstatuscode().")\n\n" if $verbose;
$success=0;
$i = -1; ## stop loop - there is an error
} else {
print STDOUT "Done (OK ".$res->getstatuscode().")\n\n" if $verbose;
}
} else {
$i++;
}
}
}
print STDOUT "Command successful.\n" and exit 0 if $success;
print STDERR "Command failed.\n" and exit 1;
}
sub get_igd_devices() {
my $cp, my @devices, my $device, my @filtereddevs;
$cp = Net::UPnP::ControlPoint->new();
## scan for devices
@devices = $cp->search(st => 'upnp:rootdevice', mx => '1');
## and another time if none found
@devices = $cp->search(st => 'upnp:rootdevice', mx => '3') if (!@devices);
if (@devices) {
foreach $device (@devices) {
my $devtype = $device->getdevicetype();
if ($devtype =~ m/^urn:schemas-upnp-org:device:InternetGatewayDevice:1$/) {
push(@filtereddevs, $device);
}
}
}
@filtereddevs;
}
sub list_devices() {
my @devices, $devcount;
my $devnum, my $devmanuf, my $devmodel, my $devsn, my $devudn, my $devupc;
@devices = $_[0];
$devcount = length(@devices);
for ($devnum = 0; $devnum < $devcount; $devnum++) { $devmanuf = $devices[$devnum]->getmanufacturer();
$devmodel = $devices[$devnum]->getmodelname();
$devsn = $devices[$devnum]->getserialnumber();
$devudn = $devices[$devnum]->getudn();
$devupc = $devices[$devnum]->getupc();
$devsn = "n/a" if (!$devsn);
$devudn = "n/a" if (!$devudn);
$devupc = "n/a" if (!$devupc);
printf STDOUT 'Device: : %d'."\n", $devnum;
printf STDOUT 'Manufacturer : %s'."\n", $devmanuf;
printf STDOUT 'Model : %s'."\n", $devmodel;
printf STDOUT 'Serial number : %s'."\n", $devsn;
printf STDOUT 'UDN : %s'."\n", $devudn;
printf STDOUT 'UPC : %s'."\n\n", $devupc;
}
}
sub readable_size() {
my $size = $_[0];
my $readable;
if ($size >= 1024*1024*1024*1024) {
$readable = sprintf('%.2f TB', $size/1024/1024/1024/1024);
} elsif ($size >= 1024*1024*1024) {
$readable = sprintf('%.2f GB', $size/1024/1024/1024);
} elsif ($size >= 1024*1024) {
$readable = sprintf('%.2f MB', $size/1024/1024);
} elsif ($size >= 1024*1024*1024*1024) {
$readable = sprintf('%.2f KB', $size/1024);
} else {
$readable = sprintf('%.2f Bytes', $size);
}
$readable;
}
__DATA__
igdctl -:- IGD administration tool written in perl
Version 0.1
USAGE
./igdctl.pl [-h|-p|-r|-a|-g|-R|-l|-c|--enable|--disable]
[-d DEVICE] [-E IP] [-e PORT] [-I IP] [-i PORT]
[-P PROTOCOL] [-D DURATION] [-A ACTIVE]
Example:
./igdctl.pl -r
Actions:
-h, --help : Displays this help text.
-v, --verbose : Verbose mode.
-p, --print : Prints connection information avaleble.
--enable : Enable internet access if supported.
--disable : Disable internet access if supported.
-r, --reconnect : Triggers a reconnect.
-a, --add-port : Adds or overwrites a port mapping entry with the
same internal client address.
-e, -I, -i, -P are needed, -E, -D, -A are
optional.
-g, --get-port : Gets a port mapping entry by remote host,
port and protocol. -e, -P are needed, -E is
optional.
-R, --remove-port : Removes a port mapping entry.
-e, -P are needed, -E is optional.
-l, --list-ports : Lists all port mapping entries. If -I was
specified, only entries by a given IP are shown.
-c, --clear-ports : Removes all port mapping entries. If -I was
specified, only entries by a given IP are
removed.
Options:
-d, --device=DEV : specifies the device number when more then one
devices are avaleble.
-E, --external-ip=IP : specifies a remote host. Wildcards are supported.
-e, --external-port=PORT : specifies an external port number.
-I, --internal-ip=IP : specifies a client ip address.
-i, --internal-port=PORT : specifies a client port number.
-P, --protocol=PROTOCOL : specifies a protocol. TCP and UDP are allowed.
-D, --duration=DURATION : specifies a number of seconds until a port mapping
entry expires.
-A, --active=ACTIVE : Specifies whether a port mapping entry is enabled.
Values 0 and 1 are allowed.
Copyright © 2009 Vincent
All Rights Reserved.
Introduction
Bash completion is a useful tool for completion of file paths, commands etc. By default it is enabled on Ubuntu but not on Debian. With two simple steps it can also be enabled on Debian.
1. Install bash-completion
First of all we need the install the according package:
apt-get install bash-completion
2. Add it to the bash profile
Either edit the ~/.bash_profile file to enable it only for a given user or edit /etc/profile to add it system-wide. Add the following code:
if [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
3. Try it
In order for it to work you have to log out and relogin and then you can make use of bash completion the usual way. E.g. issue:
apt-g
and then press the TAB key once and the command will be completed to apt-get. Or issue this:
apt
and then press TAB key twice. You can also try with
apt-get install apa
and then press TAB key once to complete as far as possible and a second time to list all options.
Read More......
This document explains how to set up a fully encrypted para-virtualized XEN instance. In this howto, the host system is running Debian Etch, while the guest system to be installed will be using Debian Lenny.
Introduction
If you are concerned about your privacy, you might want to consider using hard disk encryption to protect your valuable private data from spying eyes. Usually, the easiest way would be to use your distribution's installer to set up a fully encrypted system; I think most recent Linux distributions support this. However, when you are using XEN to provide virtualization, there are situations where you might not want to encrypt your whole computer with all guest instances, but instead only encrypt one OS instance. This howto will deal with exactly this situation. It assumes that the XEN host system is already up and running.
Preparing the XEN instance
Firstly, we need to create the XEN configuration for the new guest instance. This can easily be done with the script xen-create-image from the package xen-tools:
xen:~# aptitude install xen-tools
Now, we need to 'teach' xen-tools the existence of Lenny (since, remember, we're using Etch as the host system):
xen:~# ln -s /usr/lib/xen-tools/debian.d /usr/lib/xen-tools/lenny.d
Now, we can create the XEN instance:
xen:~# xen-create-image --memory 150M --size 1G --noswap --ip 10.0.0.1 --hostname crypto.example.com --dist lenny
This last step installs a very basic Debian Lenny guest system. We will use this system to configure encrypted filesystems and eventually copy its contents over to these encrypted filesystems.
The encrypted filesystem(s) of the new system will all be stored using LVM. So basically, this is kind of a 'LVM inside LVM': We need to create a logical volume on the host system which will be made available to the guest system as /dev/sdX, and inside the encrypted guest system, we will install LVM using this /dev/sdX as physical volume to store our volume group:
xen:~# lvcreate -L24G -n crypto.example.com_crypt vg0
Here we assume that the volume group on the XEN server, which holds the logical volumes of all the XEN instances is called vg0.
By default, xen-create-image creates a configuration file /etc/xen/crypto_unencrypted.cfg. We need to modify this to include the additional logical volume, so that it reads as follows:
kernel = '/boot/vmlinuz-2.6.18-6-xen-amd64'
ramdisk = '/boot/initrd.img-2.6.18-6-xen-amd64'
memory = '150'
root = '/dev/sda1'
disk = [ 'phy:vg0/crypto.example.com_disk,sda1,w', 'phy:vg0/crypto.example.com_crypt,sda2,w' ]
name = 'crypto.example.com'
vif = [ 'ip=10.0.0.1' ]
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'
So now we're ready to first start into the newly created system:
xen:~# xm create -c /etc/xen/crypto_unencrypted.cfg
Preparatory steps inside the temporary XEN guest
After logging in, we need to install necessary components:
crypto:~# aptitude install lvm2 cryptsetup
Next, we fill the target partition with random data:
crypto:~# dd if=/dev/urandom of=/dev/sda2
Create the cryptodisk:
crypto:~# cryptsetup -c aes-cbc-essiv:sha256 -y -s256 luksFormat /dev/sda2
Enable LVM to handle cryptsetup devices. For this, add the following to the devices section of /etc/lvm/lvm.conf:
types = [ "device-mapper", 16 ]
Open the crypto device:
crypto:~# cryptsetup luksOpen /dev/sda2 crypt
Create the physical volume and the volume group for LVM:
crypto:~# pvcreate /dev/mapper/crypt
crypto:~# vgcreate vg-crypt /dev/mapper/crypt
Create logical volumes:
crypto:~# lvcreate -L1G -nroot vg-crypt
crypto:~# lvcreate -L2G -ntmp vg-crypt
crypto:~# lvcreate -L12G -nvar vg-crypt
crypto:~# lvcreate -L1G -nswap vg-crypt
crypto:~# lvcreate -L3G -nusr vg-crypt
Now, when creating the logical volumes, there is not exactly 1G of space left on the device but slightly more. We use vgdisplay to find out exactly how much space is left and then create the last volume:
crypto:~# lvcreate -l255 -nusrlocal vg-crypt
And create filesystems:
crypto:~# mkfs.ext3 /dev/vg-crypt/root
crypto:~# mkfs.ext3 /dev/vg-crypt/tmp
crypto:~# mkfs.ext3 /dev/vg-crypt/usr
crypto:~# mkfs.ext3 /dev/vg-crypt/usrlocal
crypto:~# mkfs.ext3 /dev/vg-crypt/var
crypto:~# mkswap /dev/vg-crypt/swap
You might ask yourself why I am creating so many filesystems? Well, this is supposed to become a pretty secure system (after all, otherwise, all the encryption does not help if my system is hacked), so later I will be following the advice of the Securing Debian Handbook (http://www.debian.org/doc/manuals/securing-debian-howto/), which however is not covered in this howto.
Mount the newly created filesystems:
crypto:~# mkdir /mnt/target
crypto:~# mount /dev/vg-crypt/root /mnt/target/
crypto:~# mkdir /mnt/target/usr/local -p
crypto:~# mkdir /mnt/target/var
crypto:~# mkdir /mnt/target/tmp
crypto:~# mount /dev/vg-crypt/usr /mnt/target/usr
crypto:~# mount /dev/vg-crypt/usrlocal /mnt/target/usr/local
crypto:~# mount /dev/vg-crypt/var /mnt/target/var
crypto:~# mount /dev/vg-crypt/tmp /mnt/target/tmp
And copy the currently running filesystem to the encrypted ones:
crypto:~# init s
crypto:~# cp -apx / /target/
Since we copied the data from a running system, we need to clean up a bit:
crypto:~# /bin/rm -fr /target/tmp/*
crypto:~# /bin/rm -fr /target/proc/*
crypto:~# /bin/rm -fr /target/sys/*
crypto:~# /bin/rm /target/etc/mtab
Create the /etc/fstab:
proc /proc proc rw,nodev,nosuid,noexec 0 0
/dev/vg-crypt/root / ext3 errors=remount-ro 0 1
/dev/vg-crypt/usr /usr ext3 errors=remount-ro 0 1
/dev/vg-crypt/usrlocal /usr/local ext3 errors=remount-ro 0 1
/dev/vg-crypt/var /var ext3 errors=remount-ro 0 1
/dev/vg-crypt/tmp /tmp ext3 errors=remount-ro 0 1
/dev/vg-crypt/swap none swap sw 0 0
As stated above, here you might want to consider the Securing Debian Handbook and apply some additional security tweaks.
For now, stop the guest system:
crypto:~# halt
Back in the XEN Host-System ...
We need to install some necessary tools:
xen:~# aptitude install cryptsetup initramfs-tools
Now we create a XEN configuration file /etc/xen/crypto_encrypted.cfg for the encrypted system:
kernel = '/boot/vmlinuz-2.6.18-6-xen-amd64'
ramdisk = '/boot/initrd.img-2.6.18-6-xen-amd64_crypt'
memory = '150'
root = '/dev/mapper/vg--crypt-root'
disk = [ 'phy:vg0/crypto.example.com_crypt,sda1,w' ]
name = 'crypto.example.com'
vif = [ 'ip=10.0.0.1' ]
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'
Now comes the really tricky part about this. We need to create a new initrd image so that the encrypted system actually asks for the disks Key.
First, we create a file /etc/initramfs-tools/conf.d/cryptroot:
CRYPTROOT=target=crypt,source=/dev/sda1,key=none,lvm=vg--crypt-root
Note that even though the volume group which holds the encrypted filesystems is called vg-crypt, we need to 'escape' the '-' with a second dash.
Then, we add the following lines to the file /etc/initramfs-tools/modules:
aes-x86_64
dm-crypt
dm-mod
sha256
Next, we backup our existing initrd image, create a new one and do some renaming:
xen:~# mv /boot/initrd.img-2.6.18-6-xen-amd64 /boot/initrd.img-2.6.18-6-xen-amd64_orig
xen:~# update-initramfs -k 2.6.18-6-xen-amd64 -v -c
xen:~# mv /boot/initrd.img-2.6.18-6-xen-amd64 /boot/initrd.img-2.6.18-6-xen-amd64_crypt
xen:~# mv /boot/initrd.img-2.6.18-6-xen-amd64_orig /boot/initrd.img-2.6.18-6-xen-amd64
So now we are ready to start the encrypted XEN guest:
xen:~# xm create -c /etc/xen/crypto_encrypted.cfg
If all went well, you will be prompted for the Key to the encrypted volume, and the whole systems boots. Enjoy :)
Now you can still clean up a bit:
xen:~# /bin/rm /etc/xen/crypto_unencrypted.cfg
xen:~# lvremove /dev/vg0/crypto.example.com_disk
One important thing: YOU NEED TO BE ABLE TO TRUST THE HOST SYSTEM!!! If the host system is compromised, it might log the console input when you enter the Key for unlocking the cryptsetup device, thus learning the password whith which you encrypted all your data!!!
Sources
While setting up this encrypted XEN guest instance, the following websites proved useful to me:
- http://www.debian.org/doc/manuals/securing-debian-howto/
- http://tuxmobil.de/samsung_x20_linux_lvm_encryption.html/
- http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDevice
- http://madduck.net/docs/cryptdisk/
Read More......
Lighttpd is a secure, fast, standards-compliant web server designed for speed-critical environments. This tutorial shows how you can install Lighttpd on a Debian Lenny server with PHP5 support (through FastCGI) and MySQL support.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings might differ for you, so you have to replace them where appropriate.
2 Installing MySQL 5.0
First we install MySQL 5.0 like this:
aptitude install mysql-server mysql-client
You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
3 Installing Lighttpd
Lighttpd is available as a Debian package, therefore we can install it like this:
aptitude install lighttpd
Now direct your browser to http://192.168.0.100, and you should see the Lighttpd placeholder page:
Lighttpd's default document root is /var/www on Debian, and the configuration file is /etc/lighttpd/lighttpd.conf. Additional configurations are stored in files in the /etc/lighttpd/conf-available directory - these configurations can be enabled with the lighttpd-enable-mod command which creates a symlink from the /etc/lighttpd/conf-enabled directory to the appropriate configuration file in /etc/lighttpd/conf-available. You can disable configurations with the lighttpd-disable-mod command.
4 Installing PHP5
We can make PHP5 work in Lighttpd through FastCGI. Fortunately, Debian provides a FastCGI-enabled PHP5 package which we install like this:
aptitude install php5-cgi
5 Configuring Lighttpd And PHP5
To enable PHP5 in Lighttpd, we must modify /etc/php5/cgi/php.ini and add the line cgi.fix_pathinfo = 1 right at the end of the file:
vi /etc/php5/cgi/php.ini
[...] |
To enable the fastcgi configuration (which is stored in /etc/lighttpd/conf-available/10-fastcgi.conf), run the following command:
lighttpd-enable-mod fastcgi
This creates a symlink /etc/lighttpd/conf-enabled/10-fastcgi.conf which points to /etc/lighttpd/conf-available/10-fastcgi.conf:
ls -l /etc/lighttpd/conf-enabled
server1:/usr/bin# ls -l /etc/lighttpd/conf-enabled
total 0
lrwxrwxrwx 1 root root 44 2009-03-19 15:16 10-fastcgi.conf -> /etc/lighttpd/conf-available/10-fastcgi.conf
server1:/usr/bin#
Then we reload Lighttpd:
/etc/init.d/lighttpd force-reload
6 Testing PHP5 / Getting Details About Your PHP5 Installation
The document root of the default web site is /var/www. We will now create a small PHP file (info.php) in that directory and call it in a browser. The file will display lots of useful details about our PHP installation, such as the installed PHP version.
vi /var/www/info.php
phpinfo(); |
Now we call that file in a browser (e.g. http://192.168.0.100/info.php):
As you see, PHP5 is working, and it's working through FastCGI, as shown in the Server API line. If you scroll further down, you will see all modules that are already enabled in PHP5. MySQL is not listed there which means we don't have MySQL support in PHP5 yet.
7 Getting MySQL Support In PHP5
To get MySQL support in PHP, we can install the php5-mysql package. It's a good idea to install some other PHP5 modules as well as you might need them for your applications. You can search for available PHP5 modules like this:
aptitude search php5
Pick the ones you need and install them like this:
aptitude install php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-json
Now restart Lighttpd:
/etc/init.d/lighttpd restart
Now reload http://192.168.0.100/info.php in your browser and scroll down to the modules section again. You should now find lots of new modules there, including the MySQL module:
8 Links
- Lighttpd: http://www.lighttpd.net
- PHP: http://www.php.net
- MySQL: http://www.mysql.com
- Debian: http://www.debian.org
Nginx (pronounced "engine x") is a free, open-source, high-performance HTTP server. Nginx is known for its stability, rich feature set, simple configuration, and low resource consumption. This tutorial shows how you can install Nginx on a Debian Lenny server with PHP5 support (through FastCGI) and MySQL support.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings might differ for you, so you have to replace them where appropriate.
2 Installing MySQL 5.0
In order to install MySQL, we run
aptitude install mysql-server mysql-client
You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
3 Installing Nginx
Nginx is available as a package for Debian Lenny which we can install as follows:
aptitude install nginx
Start nginx afterwards:
/etc/init.d/nginx start
Type in your web server's IP address or hostname into a browser (e.g. http://192.168.0.100), and you should see the nginx welcome page:
4 Installing PHP5
We can make PHP5 work in nginx through FastCGI. Fortunately, Debian Lenny provides a FastCGI-enabled PHP5 package which we install like this (together with some PHP5 modules like php5-mysql which you need if you want to use MySQL from your PHP scripts):
aptitude install php5-cgi php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Then open /etc/php5/cgi/php.ini and add the line cgi.fix_pathinfo = 1 right at the end of the file:
vi /etc/php5/cgi/php.ini
[...] |
There's no standalone FastCGI daemon package for Debian Lenny, therefore we use the spawn-fcgi program from lighttpd. We install lighttpd as follows:
aptitude install lighttpd
You will see an error message saying that lighttpd can't start because port 80 is already in use:
Starting web server: lighttpd2009-03-19 15:58:09: (network.c.300) can't bind to port: 80 Address already in use
failed!
That's how it's supposed to be because nginx is already listening on port 80. Run
update-rc.d -f lighttpd remove
so that lighttpd will not start at boot time.
We've installed lighttpd because we need just one program that comes with the package, /usr/bin/spawn-fcgi, which we can use to start FastCGI processes. Take a look at
spawn-fcgi --help
to learn more about it.
To start a PHP FastCGI daemon listening on port 9000 on localhost and running as the user and group www-data, we run the following command:
/usr/bin/spawn-fcgi -a 127.0.0.1 -p 9000 -u www-data -g www-data -f /usr/bin/php5-cgi -P /var/run/fastcgi-php.pid
Of course, you don't want to type in that command manually whenever you boot the system, so to have the system execute the command automatically at boot time, open /etc/rc.local...
vi /etc/rc.local
... and add the command at the end of the file (before the exit line):
[...] |
5 Configuring nginx
The nginx configuration is in /etc/nginx/nginx.conf which we open now:
vi /etc/nginx/nginx.conf
The configuration is easy to understand (you can learn more about it here: http://wiki.codemongers.com/NginxFullExample and here: http://wiki.codemongers.com/NginxFullExample2)
First (this is optional) increase the number of worker processes and set the keepalive_timeout to a reasonable value:
[...] |
The virtual hosts are defined in server {} containers. The default vhost is defined in the file /etc/nginx/sites-available/default - let's modify it as follows:
vi /etc/nginx/sites-available/default
[...] |
server_name _; makes this a default catchall vhost (of course, you can as well specify a hostname here like www.example.com).
In the location / part, I've added index.php to the index line. root /var/www/nginx-default; means that the document root is the directory /var/www/nginx-default.
The important part for PHP is the location ~ \.php$ {} stanza. Uncomment it to enable it. Please make sure that you change the fastcgi_param line to fastcgi_param SCRIPT_FILENAME /var/www/nginx-default$fastcgi_script_name; (replace /var/www/nginx-default with your vhost's document root) because otherwise the PHP interpreter won't find the PHP script that you call in your browser.
Make sure that there are some spaces between include and fastcgi_params; - in the default file this is written as one word which is a bug.
Now save the file and restart nginx:
/etc/init.d/nginx restart
Now create the following PHP file in the document root /var/www/nginx-default:
vi /var/www/nginx-default/info.php
phpinfo(); |
Now we call that file in a browser (e.g. http://192.168.0.100/info.php):
As you see, PHP5 is working, and it's working through FastCGI, as shown in the Server API line. If you scroll further down, you will see all modules that are already enabled in PHP5, including the MySQL module:
6 Links
- nginx: http://nginx.net/
- nginx Wiki: http://wiki.codemongers.com/Main
- PHP: http://www.php.net
- MySQL: http://www.mysql.com
- Debian: http://www.debian.org/
This guide explains how to set up WebDAV with Apache2 on a Debian Lenny server. WebDAV stands for Web-based Distributed Authoring and Versioning and is a set of extensions to the HTTP protocol that allow users to directly edit files on the Apache server so that they do not need to be downloaded/uploaded via FTP. Of course, WebDAV can also be used to upload and download files.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
I'm using a Debian Lenny server with the IP address 192.168.0.100 here.
2 Installing WebDAV
If Apache is not already installed, install it as follows:
aptitude install apache2
Afterwards, enable the WebDAV modules:
a2enmod dav_fs
a2enmod dav
Restart Apache:
/etc/init.d/apache2 restart
3 Creating A Virtual Host
I will now create a default Apache vhost in the directory /var/www/web1/web. For this purpose, I will modify the default Apache vhost configuration in /etc/apache2/sites-available/default. If you already have a vhost for which you'd like to enable WebDAV, you must adjust this tutorial to your situation.
First, we create the directory /var/www/web1/web and make the Apache user (www-data) the owner of that directory:
mkdir -p /var/www/web1/web
chown www-data /var/www/web1/web
Then we back up the default Apache vhost configuration (/etc/apache2/sites-available/default) and create our own one:
mv /etc/apache2/sites-available/default /etc/apache2/sites-available/default_orig
vi /etc/apache2/sites-available/default
NameVirtualHost * |
Then reload Apache:
/etc/init.d/apache2 reload
4 Configure The Virtual Host For WebDAV
Now we create the WebDAV password file /var/www/web1/passwd.dav with the user test (the -c switch creates the file if it does not exist):
htpasswd -c /var/www/web1/passwd.dav test
You will be asked to type in a password for the user test.
(Please don't use the -c switch if /var/www/web1/passwd.dav is already existing because this will recreate the file from scratch, meaning you lose all users in that file!)
Now we change the permissions of the /var/www/web1/passwd.dav file so that only root and the members of the www-data group can access it:
chown root:www-data /var/www/web1/passwd.dav
chmod 640 /var/www/web1/passwd.dav
Now we modify our vhost in /etc/apache2/sites-available/default and add the following lines to it:
vi /etc/apache2/sites-available/default
[...] |
The Alias directive makes (together with
The final vhost should look like this:
NameVirtualHost * |
Reload Apache afterwards:
/etc/init.d/apache2 reload
5 Testing WebDAV
We will now install cadaver, a command-line WebDAV client:
aptitude install cadaver
To test if WebDAV works, type:
cadaver http://localhost/webdav/
You should be prompted for a user name. Type in test and then the password for the user test. If all goes well, you should be granted access which means WebDAV is working ok. Type quit to leave the WebDAV shell:
server1:~# cadaver http://localhost/webdav/
Authentication required for webdav on server `localhost':
Username: test
Password:
dav:/webdav/> quit
Connection to `localhost' closed.
server1:~#
This guide explains how to set up WebDAV with MySQL authentication (using mod_auth_mysql) on Apache2 on a Debian Lenny server. WebDAV stands for Web-based Distributed Authoring and Versioning and is a set of extensions to the HTTP protocol that allow users to directly edit files on the Apache server so that they do not need to be downloaded/uploaded via FTP. Of course, WebDAV can also be used to upload and download files.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
I'm using a Debian Lenny server with the hostname server1.example.com and the IP address 192.168.0.100 here.
2 Installing Apache2, WebDAV, MySQL, mod_auth_mysql
To install Apache2, WebDAV, MySQL, and mod_auth_mysql, we run:
aptitude install apache2 mysql-server mysql-client libapache2-mod-auth-mysql
You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
Afterwards, enable the WebDAV and mod_auth_mysql modules:
a2enmod dav_fs
a2enmod dav
a2enmod auth_mysql
Restart Apache:
/etc/init.d/apache2 restart
3 Creating A Virtual Host
I will now create a default Apache vhost in the directory /var/www/web1/web. For this purpose, I will modify the default Apache vhost configuration in /etc/apache2/sites-available/default. If you already have a vhost for which you'd like to enable WebDAV, you must adjust this tutorial to your situation.
First, we create the directory /var/www/web1/web and make the Apache user (www-data) the owner of that directory:
mkdir -p /var/www/web1/web
chown www-data /var/www/web1/web
Then we back up the default Apache vhost configuration (/etc/apache2/sites-available/default) and create our own one:
mv /etc/apache2/sites-available/default /etc/apache2/sites-available/default_orig
vi /etc/apache2/sites-available/default
NameVirtualHost * |
Then reload Apache:
/etc/init.d/apache2 reload
4 Configure The Virtual Host For WebDAV
You can find the documentation for mod_auth_mysql in the /usr/share/doc/libapache2-mod-auth-mysql directory. To read it, you have to gunzip the DIRECTIVES.gz and USAGE.gz files:
cd /usr/share/doc/libapache2-mod-auth-mysql
gunzip DIRECTIVES.gz
vi DIRECTIVES
gunzip USAGE.gz
vi USAGE
Having read these two files, we create a MySQL database called webdav in which we will create the table mysql_auth which will contain our users and passwords. In addition to that we create the MySQL user webdav_admin - this user will be used by mod_auth_mysql to connect to MySQL later on:
mysqladmin -u root -p create webdav
mysql -u root -p
GRANT SELECT, INSERT, UPDATE, DELETE ON webdav.* TO 'webdav_admin'@'localhost' IDENTIFIED BY 'webdav_admin_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON webdav.* TO 'webdav_admin'@'localhost.localdomain' IDENTIFIED BY 'webdav_admin_password';
FLUSH PRIVILEGES;
(Replace webdav_admin_password with a password of your choice.)
USE webdav;
create table mysql_auth (
username char(25) not null,
passwd char(32),
groups char(25),
primary key (username)
);
(Of course, you can as well use existing tables holding your user credentials, and you can as well have additional fields in the table, such as a field that defines if a user is active or not, for example.)
Now we insert the user test into our mysql_auth table with the password test (MD5 encrypted); this user belongs to the group testgroup:
INSERT INTO `mysql_auth` (`username`, `passwd`, `groups`) VALUES('test', MD5('test'), 'testgroup');
You can later on use the URL http://192.168.0.100/webdav to connect to WebDAV. If you do this on a Windows XP client and type in the user name test, Windows translates this to 192.168.0.100\test. Therefore we create a second user account now:
INSERT INTO `mysql_auth` (`username`, `passwd`, `groups`) VALUES('192.168.0.100\\test', MD5('test'), 'testgroup');
(We must use a second backslash here in the user name to escape the first one!)
You don't have to do this if you specify the port in the WebDAV URL, e.g. http://192.168.0.100:80/webdav - in this case Windows will simply look for the user test, not 192.168.0.100\test.
Then we leave the MySQL shell:
quit;
Now we modify our vhost in /etc/apache2/sites-available/default and add the following lines to it:
vi /etc/apache2/sites-available/default
[...] |
The Alias directive makes (together with
The AuthBasicAuthoritative Off and AuthUserFile /dev/null are there to prevent that you get errors like these ones in your Apache error log (/var/log/apache2/error.log):
[Wed Jun 11 17:02:45 2008] [error] Internal error: pcfg_openfile() called with NULL filename
[Wed Jun 11 17:02:45 2008] [error] [client 127.0.0.1] (9)Bad file descriptor: Could not open password file: (null)
If you have additional fields in your MySQL table that define if a user is allowed to log in or not (e.g. a field called active), you can add the Auth_MySQL_Password_Clause directive, e.g.:
[...] |
(It is important that the string within the quotation marks begins with a space!)
The require valid-user directive makes that each user listed in the mysql_auth table can log in as long as he/she provides the correct password. If you only want certain users to be allowed to log in, you'd use something like
[...] |
instead. And if you only want members of certain groups to be allowed to log in, you'd use something like this:
[...] |
The final vhost should look like this:
NameVirtualHost * |
Reload Apache afterwards:
/etc/init.d/apache2 reload
5 Testing WebDAV
We will now install cadaver, a command-line WebDAV client:
aptitude install cadaver
To test if WebDAV works, type:
cadaver http://localhost/webdav/
You should be prompted for a user name. Type in test and then the password for the user test. If all goes well, you should be granted access which means WebDAV is working ok. Type quit to leave the WebDAV shell:
server1:~# cadaver http://localhost/webdav/
Authentication required for webdav on server `localhost':
Username: test
Password:
dav:/webdav/> quit
Connection to `localhost' closed.
server1:~#
Now test again with the username 192.168.0.100\test (this is the format that Windows XP needs if you don't use :80 in the WebDAV URL):
cadaver http://localhost/webdav/
server1:~# cadaver http://localhost/webdav/
Authentication required for webdav on server `localhost':
Username: 192.168.0.100\test
Password:
dav:/webdav/> quit
Connection to `localhost' closed.
server1:~#
6 Configure A Windows XP Client To Connect To The WebDAV Share
This is described on http://www.howtoforge.com/how-to-set-up-webdav-with-apache2-on-debian-lenny-p2.
If you don't use :80 in the WebDAV URL (http://192.168.0.100:80/webdav), you must log in with the username 192.168.0.100\test; if you do use :80, then you can simply log in with the username test.
7 Configure A Linux Client (GNOME) To Connect To The WebDAV Share
This is described on http://www.howtoforge.com/how-to-set-up-webdav-with-apache2-on-debian-lenny-p3.
8 Troubleshooting
It's a good idea to watch the Apache error log (/var/log/apache2/error.log) while you're trying to connect to WebDAV, e.g. with this command:
tail -f /var/log/apache2/error.log
If you get an error like this:
[Wed Jun 11 15:39:04 2008] [error] [client 192.168.0.46] (13)Permission denied: Could not open property database. [500, #1]
this means that /var/lock/apache2 is not owned by the Apache user (www-data on Debian). You can fix this problem by running:
chown www-data /var/lock/apache2
If Windows keeps asking and asking about the username and password, you should specify the port in the WebDAV URL, e.g. http://192.168.0.100:80/webdav (see chapter four).
9 Links
- WebDAV: http://www.webdav.org
- Apache: http://httpd.apache.org
- Debian: http://www.debian.org
- mod_auth_mysql: http://modauthmysql.sourceforge.net
Read More......
Posts
