Category Archives: Linux

The Linux Category actually encompasses *BSD, RH, Fedora, Ubuntu, and the like.

Tweaking Ubuntu 16.04LTS

Still on my Ubuntu kick even 8 months later. I figured it’s about time to redo the laptop so I should mark down my notes.

I ended up installing the Unity Tweak Tool to make many changes I felt would benefit myself (yeah I even installed the Windows10 Icons Theme…)
sudo apt-get install unity-tweak-tool

I also fixed the scrolling issues with firefox. On the 7370 with touchscreen, touching the screen on any webpage in FF I was only selecting text and images which made my life more interesting.

sudo nano /usr/share/applications/firefox.desktop
Search for Exec
Exec=env MOZ_USE_XINPUT2=1 firefox %u
Save and close

Someone also pointed out that single vs double fingers may make a difference. It didn’t for me, but I’ll still make a note of it.
about:config to set dom.w3c_touch_events.enabled=1 (default was 2)

I’ll eventually have to set this up as my primary workstation and get Office to function correctly under wine.

Install Cacti Ubuntu 17.04

Yeah I know, I’m usually not one to use a non-LTS ubuntu installation. But I needed to utilize some of the newest tech, so it happened to be on my test machine. And I needed Cacti and LDAP authentication.

Either way, do the usual updates first:
apt-get update && apt-get dist-upgrade

Install Cacti from the repo (good enough, although AZ would tell me not to)
apt-get install cacti-spine
There are some wizard questions it asks here, just fill them out.
apt-get install php-ldap

Configure Cacti
http://theserversIP/cacti
Login with your admin account – in my case I forgot I had set the password to my root one, so that’s what I used.

To reset the admin account password back to the default of ‘admin’:

mysql -u root -p cacti
update user_auth set password=md5('admin') where username='admin';
Profit

LDAP Settings:

I should note that these work on a Server 2012 R2 Std Active Directory domain with Cacti running version 0.8.8h PHP 7.0.22.
(Configuration > Settings > Authentication)
Select LDAP Authentication
I picked Guest user “guest” and User Template “admin” because I just wanted to get this to work for testing – just allowing all users admin access is NOT a good idea.

Server: FQDN or IP of a domain controller
Port Standard: 389
Port SSL (not used): 636
Protocol Version: Version 3
Encryption: None (plain text ftw)
Referrals: Disabled
Mode: Specific Searching
Distinguished Name (DN): blank
Require Group Membership: unchecked

Group Distinguished Name (DN): CN=Information Technology,OU=Groups,OU=LocalUsers,DC=DOMAINNAME,DC=LOCAL
Group Member Attribute: member
Group Member Type: Distinguished Name

Search Base: OU=LocalUsers,DC=DOMAINNAME,DC=LOCAL
Search Filter: (&(objectclass=user)(objectcategory=user)(userPrincipalName=*))
Search Distinguished Name (DN): svc.cactildap@domainname.local (this is your ldap service account)
Search Password: ******* (this is your ldap service account password)

I should note that the Search Filter could replace “userPrincipalName” with sAMAccountName, but this one worked for me. I should also note you should have a service account created for your LDAP lookups – I create a new svc account for each one (svc.cactildap@domain.tld) so if account lockouts happen etc, AND I have this logon to permissions set to just the domain controllers and my cacti box.

I then opened my browser to the http://theserversIP/cacti and used my login svc.cactildap with the password to test. I just used my bsdman account and it worked – no need to add the domain\user or user@domain.

Add Second Drive to Linux

I added a new disk using PVE (Proxmox) as a secondary IDE drive. Primary is 30GB. Running Ubuntu 14.04LTS (I know I should upgrade to 16, but I’m lazy)
Secondary drive is 400GB and I marked it NO Backup.
Adding a secondary HDD to linux is pretty easy.

List all of the drives
fdisk -l

In my case it showed that /dev/sdb didn’t have a partition table. That fact, added to the other fact I know I was using sda already, made my choice pretty easy. Don’t take my word for it and actually fact-check against your own equipment!

Create partition on the drive
fdisk /dev/sdb
n
p
1
Enter
w

“N” for new, “P” for primary partition, “1” for partition number, “w” to write table to disk and exit. Most of these are the defaults anyway, so hitting “enter” a bunch of times works.

Create the filesystem
mkfs.ext4 /dev/sdb1
Enter a bunch of times

Display the UUID of the new partition/drive
blkid /dev/sdb1
Should get something back like /dev/sdb1: UUID=”98d83dk-e4c3-38cd89-3830c0909903″ TYPE=”ext4″

Add to FSTAB
*note* Adam will laugh at my use of NANO, but I’m a creature of habit.
nano /etc/fstab
Add the UUID to the bottom:
#/dev/sdb1 /mnt/sdb ext4 defaults 0 0
UUID=98d83dk-e4c3-38cd89-3830c0909903 /mnt/sdb ext4 defaults 0 0

Make directory and Mount the drive
mkdir /mnt/sdb
mount -a

Profit!

OSSIM Block Connection Attempts

I installed alien vault’s OSSIM (the community/free one) and added my subnets for scans. Unfortunately my APC PDUs and batteries really dislike having connection attempts every 2 hours.

Options would include deleting the range and adding smaller ranges, blocking via a firewall, or disabling alerts on the APCs for connection attempts.

So I opted for the easiest of blocking via the firewall:

SSH to my OSSIM box and “jailbreak” to get to a shell

Create a Shell script
nano block_apc.sh

iptables -A OUTPUT -d 10.4.0.241 -j DROP
iptables -A OUTPUT -d 10.4.0.242 -j DROP
iptables -A OUTPUT -d 10.4.0.243 -j DROP
iptables -A OUTPUT -d 10.4.0.244 -j DROP
iptables-save

Ctrl X
Y

Make the Shell script Executable
chmod +x block_apc.sh

Run the Shell script
./block_apc.sh

Add Self-Signed Certificate to Ubuntu

I’m currently running Untangle as my firewall/router UTM and recently enabled SSL Inspection. Unfortunately apt-get was breaking on my linux boxen, so I had to import the certificate.

On my linux box I ran the following and it worked fine:
wget http://firewallURL/cert
mv cert cert.crt
sudo cp cert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Natural Scrolling Ubuntu

So I’m going through a bit of a Linux kick lately and one of the things I ended up doing was installing Ubuntu 16.04LTS on my Dell 7370 laptop. Afterwards, I started to get sick of the scrolling with two fingers on the touch pad – I was pretty used to the “natural scrolling” function on the laptops.

All of the guides were pointing me towards opening the Mouse/Touchpad settings, but there was no checkbox for Natural scroll anywhere to be found.

User “goetzc” from askubuntu.com pointed me in the right direction:
nano /usr/share/X11/xorg.conf.d/50-synaptics.conf
Find the section that says “Identifier ‘touchpad catchall’
Mine now says:

Section “InputClass”
Identifier “touchpad catchall”
Driver “synaptics”
MatchIsTouchpad “on”
MatchDevicePath “/dev/input/event*”
Option “NaturalScrolling” “on”
Option “MiddleEmulation” “on”
Option “Tapping” “on”
Option “DisableWhileTyping” “on”
EndSection

**EDIT**
I just realized that I couldn’t see the option in my Mouse settings panel because I had a non-compatible theme running that ruined the visuals of many options. Oh well, live and learn I guess.

Webserver CA SSL Request, Linux Windows

I had a need to create a certificate for a new webserver. I have Linux machines available on my Windows dowmain that has a certificate authority advertised in active directory.

On your linux machine (that has openssl)
openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout webserver1.key -out webserver1.csr

Generating a 2048 bit RSA private key
……………………………………+++
…………………………………..+++
writing new private key to ‘webserver1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NO
Locality Name (eg, city) [Default City]:Town
Organization Name (eg, company) [Default Company Ltd]:Winks
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:webserver1.localdomain.local
Email Address []:support@localdomain.local

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Copy the CSR to your clipboard
nano webserver1.csr
Copy all of the text including the “–BEGIN” and “–END”

Create the certificate request on your CA

https://certificateauthority/certsrv
Create a new request – Advanced certificate request
Paste the copied text
Select webserver for the certificate template
Submit

I always download as a base64 encoded certificate. I then copied the .cer to my linux box to run the next steps.

On your linux machine create the PFX
openssl pkcs12 -inkey webserver1.key -in webserver1.cer -export -out webserver1.pfx

Enter Export Password:
Verifying – Enter Export Password:

Copy the PFX back to your window machine, double click, enter the passcode, and away you go.