Category Archives: Linux

The Linux Category actually encompasses *BSD, RH, Fedora, Ubuntu, and the like.

Unifi Linux and Windows Certificates

I thought I knew it all about certificates, but then I was humbled once again.

I needed to “secure” an internal linux webserver using our Windows 2016 CA as to remove the “this is an unverified site” messages that liked to pop up when browsing the various sites.

The process I had done in the past was to create the CSR using openssl, then copy the encryption data, open up my trusty http://certserverhere/certsrv/ site and go through the process of making a webserver certificate. Then, when finished, just download the certificate and the CA + chain, import on linux, and profit.

Well, the new versions of the templates (V3 and V4 specifically) no longer allowed the web enrollment using my trusty http://certserverhere/certsrv site. Booo.

I could probably get it to work by just requesting my own certificates using the MMC, but I’m still leaning towards the whole CLI phase of life. I should also note that I find the performance and management of Unifi on Linux to be significantly better and easier than that on Windows. YMMV.

By the way, this is technically how I published a certificate on our Unifi wireless controller. The CA Certificate Authority is a 2016 Windows Server that’s been published in AD. The unifi machine is running Ubuntu 17.10 and unifi version 5.6.29. I also used WinSCP, Putty, and my base machine is Win10 (not super applicable).

SSH to the Unifi Machine
(I did this as root, so add “sudo” before commands if you’re not the root god)
cd /usr/lib/unifi
java -jar lib/ace.jar new_cert unifi.domain.tld CompanyName Town State Country
This creates unifi_certificate.csr.der and unifi_certificate.csr.pem – the DER is encrypted and the PEM is what we need.

Get the PEM over to your CA Server
I just used nano to view all the data and then copy pasted, but feel free to WinSCP it over as well
nano unifi_certificate.csr.pem
Copy this text, then on the CA create a new text file and paste the data there. Save.

Certreq
Open an administrative Command Prompt on your CA server
certreq -submit -attrib "SAN:dns=unifi.yourdomain.tld&dns=unifi" -attrib "CertificateTemplate:WebServer2018" unifi_certificate.csr.pem
By default your Certificate Template will be “WebServer” instead of the one I listed above – I created my own template with the year it’s valid for the sake of record keeping.

Save the Certificate
Assuming the request went through, you’ll be able to name and save your signed certificate. In my case I named it unifi_withSAN.domain.tld.cer. I also navigated to the http://certserverhere/certsrv site and downloaded the CA certificate, Certificate chain, or CRL (I just downloaded the CA Certificate as it’s a single host with no subs).

Copy it back to Unifi
I used WinSCP to copy both the signed certificate as well as the CA Certificate I downloaded back to my /home directory on the Unifi server.

Final Touches
Back on your Unifi SSH session (in the /usr/lib/unifi directory)
java -jar lib/ace.jar import_cert /home/unifi_withSAN.domain.local.cer /home/srv-cert01-ca.cer
Replace srv-cert01-ca with the name of your CA certificate.
If successful, restart the unifi services
service unifi restart

Close your browser and open back up to https://unifi:8443 and no more error!

Xibo Install Ubuntu 17.04

Technically this guide could be used for 16.04 and 16.10 (maybe even 17.10 when it arrives), but I tested on 17.04. I wanted to get Xibo installed to stop using a monthly subscription for terrible service, save some money, be the hero, and get a slightly larger bonus.

Install Ubuntu 17.04
LAMP
Mail
Standard
OpenSSH

Enable Root, SSHD Config (optional, may make your configuration less secure)
sudo passwd root
newpassword
sudo su -
nano /etc/ssh/sshd_config
PermitRootLogin yes
Ctrl x
y
service sshd restart

Update Your Server
apt-get update && apt-get dist-upgrade
y

Install PHP 5.6
I know, by default LAMP installs PHP 7 now. We need PHP 5.6+ but less than 7.
add-apt-repository ppa:ondrej/php
apt-get update
apt-get install php7.0 php5.6 php5.6-mysql php-gettext php5.6-mbstring php-mbstring php7.0-mbstring php-xdebug libapache2-mod-php5.6 libapache2-mod-php7.0

Install PHP 7 (NOTE: XIBO CURRENTLY DOES NOT SUPPORT PHP 7+, SO THESE NOTES ARE TO BE DISREGARDED)
apt-get install php-gd php-mcrypt php-soap php-dom php-curl php-zip

Switch From PHP7 to PHP5.6
a2dismod php7.0 ; sudo a2enmod php5.6 ; sudo service apache2 restart
update-alternatives --set php /usr/bin/php5.6

Switch From PHP5.6 to PHP7 (OPTIONAL)
a2dismod php5.6 ; sudo a2enmod php7.0 ; sudo service apache2 restart
update-alternatives --set php /usr/bin/php7.0

Download XIBO, Change Permissions on Apache (Currently version 1.8.2)
wget https://github.com/xibosignage/xibo-cms/releases/download/1.8.2/xibo-cms-1.8.2.tar.gz
tar xvzf xibo-cms-1.8.2.tar.gz
mv xibo-cms-1.8.2 /var/www/html/xibo-server
chown -R www-data:www-data /var/www/html/xibo-server
apache2ctl restart

Create XIBO Uploads Directory
mkdir /var/www/xibouploads
My Default www (documentroot) location is /var/www/html, so this created directory is outside of the www realm (good thing).
chown -R www-data:www-data /var/www/xibouploads

Configure XIBO Installation
Open a web browser to http://YOURSERVERIP/xibo-server/web/install/index.php
You may want to change your document root or apache virtual host at a later time because remembering http://YOURSERVERIP/xibo-server/web/index.php/login is a PITA.
Follow the white rabbit wizard to complete the setup.

Edit Apache and Redirect
I ended up creating a virtual host for my system and adding a redirect (there was a pesky “I want to load /login instead of index.php” issue).
nano /etc/apache2/sites-enabled/000-default.conf
At the bottom add:

<VirtualHost *:80>
ServerAdmin ITSUPPORT@yourcompany.tld
DocumentRoot /var/www/html/xibo-server/web
ServerName xibo
ServerAlias xibo.yourdomain.local
<Directory “/var/www/html/xibo-server/web”>
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

Enable modrewrite in apache with a2enmod rewrite, or cp /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/ | apache2ctl restart
sudo a2enmod rewrite

Add the /login redirect
nano /var/www/html/xibo-server/web/.htaccess
At the bottom add the following:

Redirect /login/ /index.php

Tweaking Ubuntu 16.04LTS

Still on my Ubuntu kick even 8 months later. I figured it’s about time to redo the laptop so I should mark down my notes.

I ended up installing the Unity Tweak Tool to make many changes I felt would benefit myself (yeah I even installed the Windows10 Icons Theme…)
sudo apt-get install unity-tweak-tool

I also fixed the scrolling issues with firefox. On the 7370 with touchscreen, touching the screen on any webpage in FF I was only selecting text and images which made my life more interesting.

sudo nano /usr/share/applications/firefox.desktop
Search for Exec
Exec=env MOZ_USE_XINPUT2=1 firefox %u
Save and close

Someone also pointed out that single vs double fingers may make a difference. It didn’t for me, but I’ll still make a note of it.
about:config to set dom.w3c_touch_events.enabled=1 (default was 2)

I’ll eventually have to set this up as my primary workstation and get Office to function correctly under wine.

Install Cacti Ubuntu 17.04

Yeah I know, I’m usually not one to use a non-LTS ubuntu installation. But I needed to utilize some of the newest tech, so it happened to be on my test machine. And I needed Cacti and LDAP authentication.

Either way, do the usual updates first:
apt-get update && apt-get dist-upgrade

Install Cacti from the repo (good enough, although AZ would tell me not to)
apt-get install cacti-spine
There are some wizard questions it asks here, just fill them out.
apt-get install php-ldap

Configure Cacti
http://theserversIP/cacti
Login with your admin account – in my case I forgot I had set the password to my root one, so that’s what I used.

To reset the admin account password back to the default of ‘admin’:

mysql -u root -p cacti
update user_auth set password=md5('admin') where username='admin';
Profit

LDAP Settings:

I should note that these work on a Server 2012 R2 Std Active Directory domain with Cacti running version 0.8.8h PHP 7.0.22.
(Configuration > Settings > Authentication)
Select LDAP Authentication
I picked Guest user “guest” and User Template “admin” because I just wanted to get this to work for testing – just allowing all users admin access is NOT a good idea.

Server: FQDN or IP of a domain controller
Port Standard: 389
Port SSL (not used): 636
Protocol Version: Version 3
Encryption: None (plain text ftw)
Referrals: Disabled
Mode: Specific Searching
Distinguished Name (DN): blank
Require Group Membership: unchecked

Group Distinguished Name (DN): CN=Information Technology,OU=Groups,OU=LocalUsers,DC=DOMAINNAME,DC=LOCAL
Group Member Attribute: member
Group Member Type: Distinguished Name

Search Base: OU=LocalUsers,DC=DOMAINNAME,DC=LOCAL
Search Filter: (&(objectclass=user)(objectcategory=user)(userPrincipalName=*))
Search Distinguished Name (DN): svc.cactildap@domainname.local (this is your ldap service account)
Search Password: ******* (this is your ldap service account password)

I should note that the Search Filter could replace “userPrincipalName” with sAMAccountName, but this one worked for me. I should also note you should have a service account created for your LDAP lookups – I create a new svc account for each one (svc.cactildap@domain.tld) so if account lockouts happen etc, AND I have this logon to permissions set to just the domain controllers and my cacti box.

I then opened my browser to the http://theserversIP/cacti and used my login svc.cactildap with the password to test. I just used my bsdman account and it worked – no need to add the domain\user or user@domain.

Add Second Drive to Linux

I added a new disk using PVE (Proxmox) as a secondary IDE drive. Primary is 30GB. Running Ubuntu 14.04LTS (I know I should upgrade to 16, but I’m lazy)
Secondary drive is 400GB and I marked it NO Backup.
Adding a secondary HDD to linux is pretty easy.

List all of the drives
fdisk -l

In my case it showed that /dev/sdb didn’t have a partition table. That fact, added to the other fact I know I was using sda already, made my choice pretty easy. Don’t take my word for it and actually fact-check against your own equipment!

Create partition on the drive
fdisk /dev/sdb
n
p
1
Enter
w

“N” for new, “P” for primary partition, “1” for partition number, “w” to write table to disk and exit. Most of these are the defaults anyway, so hitting “enter” a bunch of times works.

Create the filesystem
mkfs.ext4 /dev/sdb1
Enter a bunch of times

Display the UUID of the new partition/drive
blkid /dev/sdb1
Should get something back like /dev/sdb1: UUID=”98d83dk-e4c3-38cd89-3830c0909903″ TYPE=”ext4″

Add to FSTAB
*note* Adam will laugh at my use of NANO, but I’m a creature of habit.
nano /etc/fstab
Add the UUID to the bottom:
#/dev/sdb1 /mnt/sdb ext4 defaults 0 0
UUID=98d83dk-e4c3-38cd89-3830c0909903 /mnt/sdb ext4 defaults 0 0

Make directory and Mount the drive
mkdir /mnt/sdb
mount -a

Profit!

OSSIM Block Connection Attempts

I installed alien vault’s OSSIM (the community/free one) and added my subnets for scans. Unfortunately my APC PDUs and batteries really dislike having connection attempts every 2 hours.

Options would include deleting the range and adding smaller ranges, blocking via a firewall, or disabling alerts on the APCs for connection attempts.

So I opted for the easiest of blocking via the firewall:

SSH to my OSSIM box and “jailbreak” to get to a shell

Create a Shell script
nano block_apc.sh

iptables -A OUTPUT -d 10.4.0.241 -j DROP
iptables -A OUTPUT -d 10.4.0.242 -j DROP
iptables -A OUTPUT -d 10.4.0.243 -j DROP
iptables -A OUTPUT -d 10.4.0.244 -j DROP
iptables-save

Ctrl X
Y

Make the Shell script Executable
chmod +x block_apc.sh

Run the Shell script
./block_apc.sh

Add Self-Signed Certificate to Ubuntu

I’m currently running Untangle as my firewall/router UTM and recently enabled SSL Inspection. Unfortunately apt-get was breaking on my linux boxen, so I had to import the certificate.

On my linux box I ran the following and it worked fine:
wget http://firewallURL/cert
mv cert cert.crt
sudo cp cert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates