Enable or disable automatic updates

Automatic updates can be a useful feature to help keep your system up-to-date and thereby more secure.

Automatic updates can cause problems if you do not know what you are doing. Only set them to run on a production server if you know what you are doing.

To change the current setting simply run the following command:

sudo dpkg-reconfigure -plow unattended-upgrades

Now simply choose the option that suits you best. That’s all there is to it.

Securing your SSH Server

When you have a server running SSH, the last thing you want or need is someone breaking in. This article will look at how to make your servers SSH more secure through a large variety of methods.

Change the Port

Changing the port that SSH runs on will make it harder for automated attacks or scanners to locate your SSH service meaning that this simple change could easily reduce the chance of being hacked. To change the port you need to log into the machine and open the configuration file with the following commands:

sudo nano /etc/ssh/sshd_config

You can now find the line that reads:

 Port 22

This line needs to be changed so that the port will be changed. For this example I will use port ’1234′ however, for your own service you can choose any other port that isn’t being used. When you have made the change it should look something like this:

Port 1234

Thats all there is to it. Now when you SSH into the machine you will need to use the command:

ssh -p 1234 user@host

Disable the Root Account From Logging In

The next step will prevent the root account from being able to log in. This means that you will need to create another account with the ‘Sudo’ privileged to run commands on the server. To disable the Root Account find the line in your SSH config file that reads:

PermitRootLogin yes

Or

PermitRootLogin without-password

And change it so that it reads:

PermitRootLogin no

Now if you try to log in with the root account you will be denied access meaning that any potential hacker must also guess the user name for the account as well as the password.

Restrict Access to Specific Account

Rectricting access to a specific account or specific set of accounts allows you to further restrict who can and can’t log into the server. There are two methods of doing this. With Accounts or Groups.

Accounts

With Accounts you will need to add this line to the end of the SSH Config file:

AllowUsers User1 User2 User3

Now if your account isn’t explicitly allowed you can’t log in.

Groups

With Groups you will need to add this line to the end of the SSH Config file and ensure that you are a member of the group:

AllowGroups Group1

That’s all there is to it. Now you have restricted the login to a certain set of your users.

Disable Password Login

Disabling password login require you to use a SSH key to log in, this further limits the success of an attack as now they must guess the SSH key instead of a password for it to work. To enable this find the line that reads:

#PasswordAuthentication yes

And change it to:

PasswordAuthentication no

Now, the only way to log in is with a SSH key.

Firewall

Another way to add some security to add a firewall rule to block access to certain ports. For this example we are going to completely block port 22 as we have changed what port SSH is running on. To do this run the following command:

sudo iptable -A INPUT -p tcp –dport 22 -j DROP

This will completely block access to the default port. Meaning if anyone does try to brute force the default port the connections are automatically refused.

Fail2Ban

Fail2Ban is a great piece of software that allows you to easily prevent brute force attacks by dynamically adding and removing records to the iptables configuration. With a few lines of code you can have a fully functioning installation that will block connections after x many failures. For full instructions on setting up Fail2Ban check out our article.

Make Password Asterisk Visible

When working in a terminal it can be quite frustrating when you loose track of your password. Normally your password would look like this:

*****************

However, by default you are presented with nothing, no hint at all. So to combat this, run the following command, which will open up the configuration file.

sudo visudo

In this file find the line that looks like this:

Defaults env_reset

Edit it so that it looks like this:

Defaults env_reset,pwfeedback

You can now save the file and it will work. This should work with both Linux and Mac based systems.

Install and Configure Fail2Ban

Fail2Ban is a brilliant piece of software that helps protect your server. It is great for protecting your SSH server or your web server so by following these steps you should correctly set up Fail2Ban so that IP Addresses are added to the banned firewall list. To install Fail2Ban, copy and open the configuration file for editing, run the following commands:

sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

In this file you will find all of the configuration information that you need to change to make Fail2Ban work correctly. Below is all of the configuration options for Fail2Ban that you will need to make it work.

Configuration Option Description Default
ignoreip Tells Fail2Ban which IP Addresses to ignore from the banning process 127.0.0.1/8
bantime How long IP Addresses are banned for after Fail2Ban takes action 600 (Seconds – Ten Mins)
maxretry How many attempts you get before being banned within the time limit set by 'findtime' 3
findtime How long to track failed attempts after the first failure 600 (Seconds – Ten Mins)
destemail The Email Address to send ban notices to root@localhost
sendername The name that is used as the sender when an email is sent Fail2Ban
mta The Mail service to use to send the emails about bans sendmail
action The action Fail2Ban takes when banning an account Adds the IP Address to the banned list in iptables

These configuration options allow you to configure your Fail2Bane service how you want to. However, to corectly configure the action section we will take a bit more of a look.

There are three options for the action option. The default option (action_) will simply block the account for us. However if you wish to use mail then you have two options. The first option, action_mw will also send an email with a whois look up on the offending IP Address. The final option, action_mwl will send us the email with the whois lookup and include the Log lines which may help with debugging.

Now we can reload the service with the following command:

sudo service fail2ban restart

Finally, we can add some default rules to our iptables firewall. To do sun the following commands:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT
sudo iptables -A INPUT -j DROP
The third line allows connections to our SSH Server, if you have changed the port, ensure that you change the line to allow connection to your new SSH port.

Thats all there is to it. You now have a fully working copy of Fail2Ban set up on your server with a basic firewall intergrated to help protect your server from people who should not be accessing it. Don’t forget to update the firewall if you start to use any other internet accessible programs such as a LAMP Stack.

Share a screen session with multiple accounts

So, whilst looking at how to share a screen session with multiple accounts, I ran into a few problems. However, here are the steps that I did to share the session with multiple accounts.

First log into the account that will host the screen session, for this example, we will call this account ‘User1′. This user MUST have permission to use the sudo command. Run the following commands:

sudo chmod u+s /usr/bin/screen
sudo chmod 755 /var/run/screen

This will make screen capable of sharing a session. Now we need to start a session to share and connect to it.

screen -d -m -S SharedSession
screen -r SharedSession

Once in the shared session, you need to enter a few commands. To enter the command line of screen you need to hit the following keys at once:

CTRL + A + SHIFT + :

You can now enter the following commands, however, you will need to press the keys before each command so that they are run by screen.

multiuser on
acladd User2

You can use this for as many users as you like just repeat the second line changing the users name. Now from the second user you can connect to the session with the following command:

screen -x User1/SharedSession

Thats all there is to it. Now you can create as many shared sessions as you need and add the users that you need.

Setting up Java 8 on Ubuntu

After spending a few days searching the web for a way to install the latest Oracle version of the Java Developers Kit I was relieved to find a team of people that produce an easy to install package for Oracle’s Java.

To begin we are going to add the PPA to our machine and then install the main installer. To do so run the following command:

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java8-installer

During the last command a screen will appear, this will ask you if you agree to the Oracle Binary License. You will need to agree to this to continue. When finnished you have installed Java and can check by running the following command:

java -version

If this return something like below then Java has been installed correctly:

java version "1.8.0_11"
Java(TM) SE Runtime Environment (build 1.8.0_11-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.11-b03, mixed mode)

Finally, to set up the JAVA Enviroment you can use another package by the same team. To do so run the following command:

sudo apt-get install oracle-java8-set-default

That’s all there is to it and you have now set up Oracles Official JDK on Ubuntu. The team behind this are absolutely amazing for doing this. It makes the whole process so much easier to install than when I was looking at the way to this manually.

Installing Sick Beard on the Raspberry Pi

In this tutorial I will detail how to install Sick Beard on the Raspberry Pi, specifically, on Raspbmc. It is really easy to install Sick Beard but you will need to install git to get Sick Beard.

To install Git run the following command:

sudo apt-get install git-core

When this is finished you will have git installed. This is a version management system that allows easy code development. Now we are going to download the latest copy of Sick Beard using git. The following command will download Sick Beard in the current directory:

git clone git://github.com/midgetspy/Sick-Beard.git my-sickbeard-install

You now have a copy of Sick Beard, you can either start it or move it to another directory. To start SickBeard run the following command:

python my-sickbeard-install/Sick-Beard.py

If you want to move the Sick Beard installation then running the following commands will move SickBeard to ‘/sickbeard’

sudo mv my-sickbeard-install/* /sickbeard/
$  sudo chmod 777 /sickbeard

There we go, that’s all there is to it. You can now start using SickBeard through the web browser at the web address:

 http://IPADDRESS:8081

 

Installing Handbrake to RIP DVD’s

Should you want to backup a DVD, this tutorial will detail how to install and set up Handbrake to do so.

The first thing that you need to do is install Handbrake with the following command:

sudo apt-get install handbrake

Now we need to install a package called Libdvdcss so that we can access encrypted DVD’s so run the following command to install the main package:

sudo apt-get install libdvdread4

If you have installed the Ubuntu Restricted Extras package from the Software Centre this has already been installed.

Finally to install the Libdvdcss package run:

sudo /usr/share/doc/libdvdread4/install-css.sh

That’s all there is to it! You can now backup your DVD’s with Handbrake!

Installing Transmission onto your GoFlex Home

Transmission is a great option when it comes to Torrent software, when paired with the GoFlex Home (A NAS that comes in 1TB, 2TB or 3TB variations), it can become an invaluable tool to have as the NAS is likely to be running most of the time. After searching around the web for a bit I found a way to install transmission by simply copying a few file around the place.

The first thing you need to do is download the package from the OpenStora Site (I highly recommend this site if you have any device powered b the Hipserv operating system, this tutorial is a detailed version of there instructions). You will need to register to download the file. When you have downloaded the file from OpenStora, you will need to move onto the NAS. In this example, I moved it to the Public share on my user ‘server’.

Now you can extract the files and get ready to move them around. To extract them run the following command:

tar xvfz transmission-1_92_ARM_Stora_tar.gz
cd transmission

Now we have all of the files ready however, before we do that, we should edit them before moving them. There is only one file that we need to edit right now. So open the file in the vi editor with the command below:

vi init.d/transmission-daemon

There are two settings in this file that we need to edit. We need to set the config path and the username. For this example, I am going to user the user server and put the files in the users home. This is what I changed it to:

TRANSMISSION_HOME=/home/server/config/transmission-daemon
DAEMON_USER="server"
Before you can edit a file in vi you need to press the ‘i’ key to enable editing.

This means that the user server should be able to edit all of the configuration files as it is in the user home directory, but to be sure and create the directory run the following commands:

sudo mkdir -p /home/server/config/transmission-daemon
sudo chown server:server /home/server/config/transmission-daemon
Remember to replace the details in the command with the details for your user and path if you are not using the same as I have

Now you can exit the file and begin moving them around. The following commands will move all of the file to the correct location:

sudo mv transmission-daemon /usr/local/bin/
sudo mv init.d/transmission-daemon /etc/init.d/
sudo mv web/index.html /usr/share/transmission/web/
sudo mv web/images /usr/share/transmission/web/
sudo mv web/javascript /usr/share/transmission/web/
sudo mv web/stylesheets /usr/share/transmission/web/

Now that all of the file have been moved, we can start and stop the transmission-daemon so that it generates the configuration file. To do so run the following commands:

/etc/init.d/transmission-daemon start
/etc/init.d/transmission-daemon stop

Finally, we can change the settings in the file that was just generated. To do so open the ‘settings.json’ file located in the TRANSMISSION_HOME directory. The following command works for the example used in this tutorial:

vi /home/server/config/transmission-daemon/settings.json

There are a few options in here that should or could be edited. The information below details all of this with the settings that I used for this tutorial.

File Locations

Setting Information Example
download-dir Where finished downloads are stored \/home\/server\/GoFlex Home Public\/Downloads\/Finished
incomplete-dir Where downloads are stored before they are finished, ie where they are stored whilst they are still being downloaded. \/home\/server\/GoFlex Home Public\/Downloads\/Incomplete
incomplete-dir-enabled Allows you to enable the incomplete directory true
watch-dir The directory Transmission should watch for torrent file to automatically add and download \/home\/server\/GoFlex Home Public\/Downloads\/Add
watch-dir-enabled Allows you to enable the watch directory true

Security

Setting Information Example
rpc-authentication-required Requires password to access the Web GUI, set to false to disable true
rpc-username The username to access the Web GUI when the Authentication is enabled MyUser
rpc-password The password to access the Web GUI when the Authentication is enabled This is a password!
rpc-whitelist-enabled This allows you to enable an IP address white list to only allow specific IP address to access the Web GUI false

When you have finished editing the file you can save it and start the daemon again with the command:

/etc/init.d/transmission-daemon start

You should now be able to access the Transmission Web interface at:

http://goflexip:9091

Start on boot

The final option is to set up Transmission to start when the computer boots. To do so run the following commands:

sudo /sbin/chkconfig –add transmission-daemon
sudo /sbin/chkconfig –levels 2345 transmission-daemon on

That’s all there is to it, you are now running Transmission on the embedded device in you GoFlex NAS. Unfortunately, you can not access the daemon with the remote program as the Transmission version is 1.9.8, which isn’t supported.

SSH Access to the Seagate GoFlex Home

The Seagate GoFlex Home is the NAS that I currently use, with a 2TB drive it is a perfectly capable drive for basic needs. It also allows you to SSH into the device its self. To do so you will need to the run the following command:

ssh USERNAME_hipserv2_seagateplug_XXXX-XXXX-XXXX-XXXX@IPADDRESS

Simple replace ‘USERNAME’ at the start with your username for the device and ‘XXXX-XXXX-XXXX-XXXX’ with the Serial Key from the base of the device. The code is usually the largest, at the bottom and starts with a code like ‘PK:’. Don’t forget to add the IP address where it says ‘IPADDRESS’.

The ‘PK:’ at the start isn’t part of the key, you do not use this in the ssh command.

That’s all there is to it. You can now SSH into your device to run any commands that you want.