Category Archives: Debian

Raspi Bplus-1

Fixing bash Shellshock vulnerability on Raspberry Pi

The recent bash vulnerability, a.k.a. “Shellshock”, is pretty bad, considering it might actually have been around for a very long time, maybe even dating back to the predecessor of bash. Not good.

So what about Raspberry Pi’s?
Are they vulnerable?

Turns out they are, but there is already a fix available for them and patching a Raspi is very simple. Whether your actual Raspi is vulnerable depends on what distribution you are using, and how recently you upgraded the software in it.
The Raspi used below is running IPE-R1, which is a blackout-proof version of Raspian.

First let’s find out what bash version we have:

root@raspi-2:~# dpkg -s bash | grep Version
Version: 4.2+dfsg-0.1
root@raspi-2:~#

You can also run this little script to determine whether your Raspi is vulnerable to Shellshock

root@raspi-2:~# env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED"' bash --norc -c ':' 2>/dev/null;
WARNING: SHELLSHOCK DETECTED
root@raspi-2:~#

Let’s fix this. Just refresh the repos and upgrade bash (the patched version is available in the main repos).

root@raspi-2:~# apt-get update && apt-get install --only-upgrade bash
Get:1 http://archive.raspberrypi.org wheezy Release.gpg [490 B]
Get:2 http://mirrordirector.raspbian.org wheezy Release.gpg [490 B]
Get:3 http://archive.raspberrypi.org wheezy Release [10.2 kB]
...
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
 bash-doc
The following packages will be upgraded:
 bash
1 upgraded, 0 newly installed, 0 to remove and 54 not upgraded.
Need to get 1,443 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://mirrordirector.raspbian.org/raspbian/ wheezy/main bash armhf 4.2+dfsg-0.1+deb7u3 [1,443 kB]
Fetched 1,443 kB in 1s (1,386 kB/s)
(Reading database ... 29754 files and directories currently installed.)
Preparing to replace bash 4.2+dfsg-0.1 (using .../bash_4.2+dfsg-0.1+deb7u3_armhf.deb) ...
Unpacking replacement bash ...
Processing triggers for man-db ...
Setting up bash (4.2+dfsg-0.1+deb7u3) ...
update-alternatives: using /usr/share/man/man7/bash-builtins.7.gz to provide /usr/share/man/man7/builtins.7.gz (builtins.7.gz) in auto mode
root@raspi1:~#

The installed version of bash is now +deb7u3

root@raspi-2:~# dpkg -s bash | grep Version
Version: 4.2+dfsg-0.1+deb7u3
root@raspi-2:~#

The short test script above also returns nothing:

root@raspi-2:~# env x='() { :;}; echo "WARNING: SHELLSHOCK DETECTED"' bash --norc -c ':' 2>/dev/null;
root@raspi-2:~#

You could of course also just do an “apt-get upgrade” to upgrade all packages on your Raspi, would take a bit longer but will work just as well.
Also, if you are not logged in as root you need to do a “sudo apt-get update”, of course.

Burning ISOs to USB sticks on Mac / OS X

For some reason i cannot get the easy-to-use tools out there for burning ISOs to work… Command line to the rescue:

First, make sure Homebrew is installed. It is strictly not needed for the burning-to-thumb-drive process, but will enable the progress indicators, which are quite nice to have for long running tasks. Now install Pipe Viewer from Homebrew:


$ brew install pv

Now we need to figure out the device name of our USB drive. In a terminal window (you are using iTerm2 – right? Infinitely better than OS X built in Terminal app):


$ diskutil list

#: TYPE NAME SIZE IDENTIFIER
 0: GUID_partition_scheme *251.0 GB disk0
 1: EFI EFI 209.7 MB disk0s1
 2: Apple_HFS Macintosh HD 250.1 GB disk0s2
 3: Apple_Boot Recovery HD 650.0 MB disk0s3
/dev/disk1
 #: TYPE NAME SIZE IDENTIFIER
 0: GUID_partition_scheme *320.1 GB disk1
 1: EFI EFI 209.7 MB disk1s1
 2: Apple_HFS SSD backup 180.0 GB disk1s2
 3: Apple_HFS Temp 139.6 GB disk1s3
/dev/disk2
 #: TYPE NAME SIZE IDENTIFIER
 0: GUID_partition_scheme *1.0 TB disk2
 1: EFI EFI 209.7 MB disk2s1
 2: Apple_HFS Macken_Ext Backup 999.9 GB disk2s2
/dev/disk3
 #: TYPE NAME SIZE IDENTIFIER
 0: FDisk_partition_scheme *8.0 GB disk3
 1: DOS_FAT_32 WHEEZY 8.0 GB disk3s1
$

/dev/disk3 is the USB thumb drive. I previously had another Wheezy image on it, thus its name.

Now unmount it:


$ diskutil unmountDisk /dev/disk3
Unmount of all volumes on disk3 was successful
$

Nice. Now let’s write the ISO to the drive:


$ pv -petr ~/Desktop/debian-7.2.0-amd64-DVD-1.iso | sudo dd of=/dev/disk3 bs=128k
Password:
0:00:38 [4.94MiB/s] [====>                  ] 3% ETA 0:16:55

Now let’s wait. Looks like it will take approximately another 17 minutes..

When done, just eject the thumb drive as usual, remove it and you have a bootable Debian install drive. Mission accomplished.

Installing Debian on old ASUS motherboards

Having a couple of decommissioned ASUS motherboards (M2NPV-VM and A8N-VM CSM), as well as a 19″ cabinet with ATX cases in it, they could together be a setup for lab work, trying out Linux server stuff, as a test bed for network gear etc.

Installing Linux (Debian) is usually pretty easy, a couple of snags along the way though.
So, note to self: read this if these motherboards need to be reinstalled sometime. It will save you/myself some time.

Booting from USB flash disk

  1. The BIOS of both boards need to be changed so that the flash disk is 1st disk (before the SSD also installed), and also 1st in boot order. Otherwise it will not boot from the thumb drive.
  2. Install Debian as usual.
  3. Once you get to the GRUB installation part of Debian install, follow the default setting and install to first disk. Which is the flash thumb drive, I know. But trying the get the Debian installer to install GRUB anywhere else just failed consistently – I have no idea why. Should have worked to install it to /dev/sdb (which is the SSD).
  4. Reboot into recovery mode with the thumb drive still inserted (as GRUB was installed to it. remember?). You should now end up in a command line shell.
  5. Do a “grub-install /dev/sdb” to install GRUB to the SSD. The devices might be different depending on the installed hardware, check with “ls /dev”, “du” and related commands, to get the device name of the SSD
  6. Reboot, quickly remove the thumb drive during the reboot, and GRUB should now appear, served from the SSD.

 

Windows 8 and Debian Wheezy dual boot

An old Dell XPS M1330 laptop has been collecting dust around here for ages. It’s one of those “yes… I am sure that laptop will come in handy some day…” machines, and I finally took the time to set it up as test machine for Windows 8 and Linux. I also had an unused SSD drive that could replace the old and slow HD in the laptop.

Time to get to work!

Install Windows 8

  1. Get the Windows 8 installer. Run it, then go through all the steps until you get an option to “Install by creating media”. A Windows machine of some kind obviously needed for this. This will create a bootable USB flash drive or an ISO, with all the Windows install files on it.
  2. You can actually install Windows 8 directly from the flash drive, but once you try to activate Windows it will tell you that the product key can only be used for upgrades. I found this out the hard way -> had to re-do the whole process.
  3. Get a copy of Windows XP, Vista or whatever earlier Windows version you can find. I happened to have a bunch of XP Pro licenses taken from old computers over the years. If going the XP route, it might be worth installing from XP SP3 (rather than SP2 or earlier), IIRC the pre-SP3 XP versions were rather crappy.
  4. Windows XP + SSD = <FAIL>. As the Windows 8 license was an upgrade, I had to get some prior Windows version installed first. Turned out that Win XP SP3 didn’t play nicely with the SATA2 SSD I had installed. Probably some missing drivers in the XP installation – SATA2 just had not been invented when Win XP was hot, I guess.
    I had to change a couple of BIOS parameters handling flash cache and SATA emulation (reverting back to some older ATA variant, I believe. Not sure, but it worked).
    The XP installer then detected the SSD and fired up as expected.
  5. Install XP from CD/DVD, as was done in the old days. No need to apply updates etc once it is installed. I didn’t activate Windows XP Genuine Advantage either.
  6. While in XP, start the Windows 8 installer from the flash drive created step 1 above. From here it’s a pretty easy ride, think I went with the defaults most of the way
  7. Windows 8 should then be installed, and XP gone. Nice.

If you have a fresh-install product key for Windows 8, you can most likely skip the XP installation steps above, of course.

Install Debian

  1. Download UNetbootin to the new Windows 8 machine. No need to install, it’s a standalone application.
  2. Use UNetbootin to create a bootable Debian installation flash drive. All the actual Debian files will be downloaded during the installation, so the flash drive can be small (I used an old 256 MB one). I went with the Debian Stable_Netinstall, worked well.
  3. Reboot the computer to start the Debian installer. If the entire disk was allocated to Windows during that installation (it would have been, unless you repartitioned it yourself) you need to make some space for Debian. The Debian installer allows you to do this in the partitioning section. Go to the partition that Windows is installed on, hit enter and you can edit the size of the partition. Apply.
  4. While still in the partitioner, move to the now free/unused space on the SSD, and use the assisted partitioner for all unused free space. Going with the recommended option (all data on same partition) is fine. You will then get /dev/sdb5 and /dev/sdb6 partitions for general use and swap, respectively.
    NOTE: When booting from the USB flash drive it gets the name /dev/sda. The SSD is /dev/sdb, with the Windows partition being called /dev/sdb1.
  5. The Debian installer can be a bit cryptic the first times you use it, but it’s not too bad. Going with the defaults is usually fine.
  6. One of the last steps is to install the GRUB boot loader. Now, this can be done different ways. The easiest is to just follow the suggestion to install GRUB to the Master Boot Record. This will overwrite Windows boot loader (which in Windows 8 is actually pretty nice, with graphical UI, mouse interface etc).
  7. When the Debian installer finish and the computer reboots, quickly remove the flash drive and if all is well GRUB should now kick in, showing Debian side by side with Windows 8.

If you want to use the Windows 8 boot loader, you need to reinstall it. I first thought I would do this, but changed my mind.. GRUB might not have the pretties UI around, but it works.

I think the last part of this article might be useful if you still want to switch back to using Windows 8 boot loader.

Closing thoughts

Now that XP is no longer anywhere on that SSD, it should be safe to switch the BIOS back to proper SATA mode. Windows 8 didn’t boot when I did that though… Not sure why. After switching back to the old legacy mode both Windows 8 and Debian boots fine, so I guess that decides it.

I did actually also do some initial work on the SSD, upgrading the firmware of it, as well as using the GParted Linux distro on a flash stick (once again using UNetbootin to create the flash disk) to create a FAT32 partition and align it as described in this post. No idea if that was really necessary..

Misc sources providing input for the above

http://www.howtogeek.com/99060/how-to-dual-boot-windows-8-and-linux-mint-on-the-same-pc/
http://unix.stackexchange.com/questions/76932/installing-debian-7-besides-windows-8
http://askubuntu.com/questions/217904/installed-ubuntu-my-windows8-not-booting/218006#218006

Monitorix on ReadyNAS, part 2

The default Monitorix installation (see previous post) puts the log and database files in /var/lib/monitorix/, which is part of the root partition. This partition is only 4 GB in size, and when it is 80% full the NAS sends an email to the admin email address:

System volume ‘root’ usage is 81 %. This condition should not occur in normal conditions. Please contact technical support.

Ouch… Well, it is easy enough to move the log and rrd files to a better location. As this problem is likely to occur for most software installed on the NAS, I decided to make a directory /home/admin/from_root, where things that originally lived on the root partition can be moved.

First su to become root, then stop the monitorix service:


service monitorix stop

Edit /etc/monitorix.conf using your favourite editor (vim, nano, emacs…). The beginning of mine (where the paths are defined) now looks like this:


# Monitorix - configuration file
#
# See monitorix.conf(5) manpage for a detailed description of each option.
#

title = Place a title here
hostname = RN312
theme_color = black
refresh_rate = 150
iface_mode = graph
enable_zoom = y
netstats_in_bps = n
disable_javascript_void = n
temperature_scale = c

base_dir = /usr/share/monitorix/
#base_lib = /var/lib/monitorix/
base_lib = /home/admin/from_root/monitorix
base_url = /monitorix
base_cgi = /monitorix-cgi

<httpd_builtin>
enabled = n
host =
port = 8080
user = nobody
group = nogroup
log_file = /home/admin/from_root/monitorix/log/monitorix-httpd
hosts_deny =
hosts_allow =
<auth>
enabled = n
msg = Monitorix: Restricted access
htpasswd = /var/lib/monitorix/htpasswd
</auth>
</httpd_builtin>
# Log files pathnames
# -----------------------------------------------------------------------------
log_file = /home/admin/from_root/monitorix/monitorix
secure_log = /var/log/secure
mail_log = /var/log/maillog
milter_gl = /var/milter-greylist/greylist.db
imap_log = /var/log/imap
hylafax_log = /var/spool/hylafax/etc/xferfaxlog
cups_log = /var/log/cups/page_log
ftp_log = /var/log/proftpd/access.log
fail2ban_log = /var/log/fail2ban.log
spamassassin_log = /var/log/maillog
clamav_log = /var/log/clamav/clamav.log
cg_logdir = /var/CommuniGate/SystemLogs/
squid_log = /var/log/squid/access.log

<span style="line-height: 1.714285714; font-size: 1rem;">

Now that this is done, move the existing files to the new location:


mkdir /home/admin/from_root/

mkdir /home/admin/from_root/monitorix

cp /var/lib/monitorix/* /home/admin/from_root/monitorix

Almost there. Before starting the service again it is useful to monitor the application’s log file. Make sure you have two shells running side by side. In one of them start a tail of the log file:


tail -f monitorix -n 50

Now start the service again, using the second shell. You can now monitor the startup log entries, and if all goes well there will be no (serious) errors.


service monitorix start

Enhanced monitoring of Netgear ReadyNAS RN312 using Monitorix

Edit: Some additional configuration turned out to be necessary to achieve stable operation, see this post.

The built-in monitoring of the RN312 is ok for basic purposes, but still pretty limited.

I am really heading towards a Zabbix setup (I think at least, having tested it in a VM environment it seems pretty nice), but there is A LOT of configuration needed to get Zabbix up and running. That’s actually a downside of Zabbix: In order to get simple things like alarm/notification emails set up, you need to do a lot of configuration in the web UI. Yes, it is very flexible, but also quite demanding.

So what options are there to get started more quickly? Wikipedia lists a whole bunch of NMS systems. Having following (and read good things about) Monitorix for some time, it was worth a try.

Setup was pretty painless, but some extra work was needed (as compared to the installation instructions). Good instructions for Debian can be found here though. Worth noting that I decided to install packages from a repository, rather than as a downloaded package, or from source.

  1. Add the needed sources. Good instructions here. I stored the repo key in /root, there is probably a better place for it… Btw you need to do the following as root, so run “su” to change user.

    Use your editor of choice to edit /etc/apt/sources.list so it looks something like this (the last two lines are what we are after here):
    deb http://apt.readynas.com/packages/readynasos 6.0.8 updates apps main
    deb http://mirrors.kernel.org/debian wheezy main
    
    # Monitorix packages
    deb http://apt.izzysoft.de/ubuntu generic universe
    
  2. Get the key for the repository. This is needed in order to install the package from the repo.
    cd
    wget http://apt.izzysoft.de/izzysoft.asc
    apt-key add izzysoft.asc
    
  3. Install…
    apt-get update
    apt-get install monitorix
    
  4. In spite of what the Monitorix install instruction says about the system running out of the box, I had to do some additional changes:As Monitorix will run on the RN312, but you will access it from some other computer, you need to tell Apache2 that this is ok. Edit /etc/apache2/conf.d/monitorix.conf so that it looks like this (only the Directory section show to keep it short):
    <Directory /usr/share/monitorix/cgi/>
     DirectoryIndex monitorix.cgi
     Options ExecCGI
     Order Deny,Allow
     Deny from all
     Allow from all
    </Directory>
    

    Yes…. You should probably not allow anyone to access via insecure http… Better option might be to use specific IP numbers, instead of all. I.e. “Allow from w.x.y.z” instead of “Allow from all”.

    Edit /etc/monitorix.conf. By default Monitorix’ own http server is enabled, but it will clash with the Apache2 server that is already running on the RN312. We need to disable Monitorix’ http server, and while we are at it, you might also want to change the hostname, as well as decide which graphs to show.
    The first part of my /etc/monitorix.conf looks like this

    # Monitorix - configuration file
    #
    # See monitorix.conf(5) manpage for a detailed description of each option.
    #
    
    title = Place a title here
    hostname = RN312
    theme_color = black
    refresh_rate = 150
    iface_mode = graph
    enable_zoom = y
    netstats_in_bps = n
    disable_javascript_void = n
    temperature_scale = c
    
    base_dir = /usr/share/monitorix/
    base_lib = /var/lib/monitorix/
    base_url = /monitorix
    base_cgi = /monitorix-cgi
    
    <httpd_builtin>
     enabled = n
     host =
     port = 8080
     user = nobody
     group = nogroup
     log_file = /var/log/monitorix-httpd
     hosts_deny =
     hosts_allow =
     <auth>
     enabled = n
     msg = Monitorix: Restricted access
     htpasswd = /var/lib/monitorix/htpasswd
     </auth>
    </httpd_builtin>
    # Log files pathnames
    # -----------------------------------------------------------------------------
    log_file = /var/log/monitorix
    secure_log = /var/log/secure
    mail_log = /var/log/maillog
    milter_gl = /var/milter-greylist/greylist.db
    imap_log = /var/log/imap
    hylafax_log = /var/spool/hylafax/etc/xferfaxlog
    cups_log = /var/log/cups/page_log
    ftp_log = /var/log/proftpd/access.log
    fail2ban_log = /var/log/fail2ban.log
    spamassassin_log = /var/log/maillog
    clamav_log = /var/log/clamav/clamav.log
    cg_logdir = /var/CommuniGate/SystemLogs/
    squid_log = /var/log/squid/access.log
    
    imap_log_date_format = %b %d
    secure_log_date_format = %b %e
    
    # Graphs (de)activation
    # -----------------------------------------------------------------------------
    <graph_enable>
     system = y
     kern = y
     proc = y
     hptemp = n
     lmsens = y
     nvidia = n
     disk = n
     fs = y
     net = y
     serv = y
     mail = y
     port = y
     user = y
     ftp = y
     apache = y
     nginx = n
     lighttpd = n
     mysql = y
     squid = n
     nfss = y
     nfsc = y
     bind = y
     ntp = y
     fail2ban = y
     icecast = n
     raspberrypi = n
     int = y
    </graph_enable>
    

    Finally, for some reason the rights to Monitorix’ imgs directory were incorrect out-of-the-box. Fix it:

    cd /usr/share/monitorix/
    ls -la
    chown -R admin:admin imgs
    ls -la
    
  5. Almost there… We just need to restart Apache2 and Monitorix to make the new configuration take effect:
    service apache2 reload
    service monitorix restart
    

     

Directing your browser to http://<IP of your NAS>/monitorix should now give you a screen like this:

Place_a_title_here

Clicking ok should now take you to a page looking similar to this one (exactly what is shown will depend on the settings you did in /etc/monitorix.conf):

Place_a_title_here 2

All in all – very nice! 🙂

Installing Debian from USB thumb drive

For some years now I have tried to improve my Linux skills. I just don’t have the time to do Linux deep dives at work, so I figured I would set up a physical Linux box here, in addition to the VMs I use from time to time.

Anyway, without further thought about the pros and cons of VMs vs physical machines, creating the installation USB thumb drive turned out to be a bit of a challenge, until UNetbootin and LiLi came along. The former supports Windows, Linux and OS X (I am on OS X), while LiLi is Windows only.

LiLi looks good, but given my OS X preference I went with UNetbootin. After creating a Debian Wheezy installation thumb drive, I tried booting it in a Dell laptop. No luck, it booted straight into the Windows 8 that was on the hard drive.

When repeating the procedure on the Dell laptop (running Win 8) it worked like a charm, the Debian installer started after the USB drive had been created, and the laptop rebooted. I recall reading somewhere that there are issues with UNetbootin on OS X, I guess that’s still the case..

So, now onto the actual installation – nice!