Tag: howto

Setting the compilation tag using eyeD3 and Linux

With the eyeD3 command you can easily set the compilation tag for compatibility of your MP3 files with Apple gear. Just change to the directory containing the files making up the compilation (or soundtrack) and execute the following command:

user@debian:/path/to/your/compilation/$ find ./ -name "*.mp3" -exec eyeD3 --set-text-frame=TCMP:1 '{}' ';' &

Hope this snippet proves useful.
github.com

Executing Linux commands in the background using screen

The screen command allows you to detach a running process from a session and then reattach it at a later time. Its use is simple:

user@debian:~$ screen yourlinuxcommand

Now that yourlinuxcommand is executing, press Ctrl+A followed by D to detach the screen.
Obtain a list of all the running screen processes:

user@debian:~$ screen -ls
There is a screen on:
       18470.pts-0.server(02/03/14 10:03:43) (Detached)
1 Socket in /var/run/screen/S-user.

Note the screen id in the above output. Use the screen id to reattach the session at anytime:

user@debian:~$ $ screen -r 18470.pts-0.server

www.thegeekstuff.com, www.linuxjournal.com

The Debian Administrator’s Handbook

“We wanted the book to be freely available (that is under the terms of a license compatible with the Debian Free Software Guidelines of course). There was a condition though: a liberation fund had to be completed to ensure we had a decent compensation for the work that the book represents. This fund reached its target of €25K in April 2012.” Raphaël Hertzog and Roland Mas hope that you will enjoy the book.
debian-handbook.info

Redirecting mail for the local root user

postfix is Ubuntu’s default mail transfer agent (MTA) and can be configured to deliver mail using a relay host that requires SMTP authentication. Get the necessary packages with the following command:

user@ubuntu:~$ sudo apt-get install postfix bsd-mailx

Begin to configure your postfix installation by choosing satellite system as the general type of configuration. Enter the local machine name as the mail name (eg mycomputer.edafe.org) and the SMTP server address of your email service provider as the SMTP relay host (eg smtp.relayhost.com). Edit the file /etc/postfix/main.cf and add the following:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

Create the file /etc/postfix/sasl_passwd and make the following entries:

smtp.relayhost.com user:password

Substitute smtp.relayhost.com with the address of the SMTP relay host and user:password with your login details. Continue by executing the following three commands:

user@ubuntu:~$ sudo chown root.root /etc/postfix/sasl_passwd
user@ubuntu:~$ sudo chmod 600 /etc/postfix/sasl_passwd
user@ubuntu:~$ sudo postmap hash:/etc/postfix/sasl_passwd

Instruct postfix to reload its settings with the following command:

user@ubuntu:~$ sudo /etc/init.d/postfix reload

Making changes to the alias table

The aliases table provides a system-wide mechanism to redirect mail for local recipients. Edit the file /etc/aliases to contain the following entries:

postmaster: root
root: localuser
localuser: user@yourdomain.com

The localuser is the system administrator. Substitute user@yourdomain.com with the email address that you would like mail for the root user to be redirected to. Finally, update /etc/aliases.db using the following command:

user@ubuntu:~$ sudo newaliases

Mail for the local root user from now on will automatically be forwarded to user@yourdomain.com , using smtp.relayhost.com as the relay host.
www.postfix.org, help.ubuntu.com

Monitoring hard disks with smartmontools

SMART stands for Self-Monitoring, Analysis and Reporting Technology and is built into most modern hard disks. The smartd daemon is part of smartmontools and monitors a disk’s SMART data for any signs of hardware problems. SMART is available with Parallel and Serial ATA disks, drives appearing as either /dev/hd* or /dev/sd*, respectively. Use the following command to obtain relevant information for your system:

user@ubuntu:~$ df -hl

If required, start by configuring postfix to redirect mail for the local root user. Get the necessary packages with the following command:

user@ubuntu:~$ sudo apt-get install smartmontools bsd-mailx

Configuring smartd

Edit the file /etc/smartd.conf and comment out any lines beginning with DEVICESCAN. If you are using a netbook or a laptop, add the following line for the smartd daemon to monitor the device /dev/sda:

/dev/sda -a -d ata -n standby -o on -S on -m root -M daily -M test

If you are using a desktop or a server, add the following line for the smartd daemon to monitor the device /dev/hda:

/dev/hda -a -d ata -n never -o on -S on -s (L/../../7/04|S/../.././02) -m root -M daily -M test

See man smartd.conf for more information on how to tailor the operation of smartd to your needs.

Starting smartd

Edit the file /etc/default/smartmontools and uncomment the line containing start_smartd=yes. Restart the smartd daemon with the following command:

user@ubuntu:~$ sudo /etc/init.d/smartmontools restart

Verify that the local root user has received a test message from the smartd daemon. From now on, the smartd daemon will monitor the disk and, in the event of impending disk failure, alert the local root user by email.

Still sending naked email?

“In a world of repressive governments and a growing reliance on insecure networks, there’s no way anyone can be sure their most sensitive messages aren’t intercepted by the forces of darkness. But you can make it mathematically improbable that all but the most well-funded snoops could ever make heads or tales of your communications.” Use Dan Goodin’s step-by-step guide to email encryption and keep your communications private.
www.theregister.com

Editing configuration files with nano

There are many different tools that you can use to edit configuration files. Because of its simplicity, I personally like to use Nano:

user@ubuntu:~$ sudo nano /path/to/the/file

You can change the default settings for nano by editing its configuration file. For example, to stop nano from wrapping text simply make the following changes to /etc/nanorc:

## Don't wrap text at all.
set nowrap

www.nano-editor.org

Public/private key authentication with SSH

Updated 09/10/2016

SSH is a protocol that enables secure logins over a network. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

On the local machine

Use the following command to generate a new key pairs for the local user schmidt:

schmidt@exhaustpiano:~$ ssh-keygen -t ed25519 -o -a 100
schmidt@exhaustpiano:~$ ssh-keygen -t rsa -b 8192 -o -a 100

Use an appropriate passphrase to secure the private key (don’t be tempted to use an empty passphrase).
Deploy the public key with the following command:

schmidt@exhaustpiano:~$ ssh-copy-id schmidt@pizzaposition

On the remote machine

Delete any unused host keys with the following command:

root@pizzaposition:~$ rm /etc/ssh/ssh_host_dsa_key* /etc/ssh/ssh_host_ecdsa_key* /etc/ssh/ssh_host_rsa_key*

Create the group ssh-users with the following command:

root@pizzaposition:~$ addgroup --system ssh-users

Add the local user schmidt to the group ssh-users:

root@pizzaposition:~$ adduser schmidt ssh-users


Make the following changes in sshd_config to improve on the default configuration:

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Specify allowed key exchange algorithms
KexAlgorithms curve25519-sha256@libssh.org# Specify the ciphers allowed for protocol version 2
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128
gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# Specifiy the available MAC (message authentication code) algorithms
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256
etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128
etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac
128@openssh.com

# Logging
LogLevel VERBOSE

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

RSAAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

ClientAliveInterval 15

MaxStartups 3:60:20

UsePAM no
UseDNS no

Restart the SSH server on the remote machine with the following command:

root@pizzaposition:~$ systemctl restart ssh.service

Setting these options will make root logins impossible. Only users belonging to the group ssh-users may establish a connection. Access is strictly tied to the private key and the passphrase used to encrypt it. Using the private key stored on exhaustpiano, local user schmidt should now be able to remotely log into pizzaposition:

schmidt@exhaustpiano:~$ ssh pizzaposition
Enter passphrase for key '/home/schmidt/.ssh/id_ed25519':
Last login: Sun Oct 9 15:51:15 2016 from 12.34.56.78
schmidt@pizzaposition:~$

For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.
stribika.github.io

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.