by Pedro M. S. Oliveira | Dec 7, 2009 | Linux
Lots of people ask me what’s the best Linux distro, some say what’s the best for a newbie others want to setup a home server and some others want to build a gatekeeper. So what’s the best distro to accomplish all this?
To be sincere I like OpenSuSE a lot and I use it for all my personal things and my work laptops, but I wouldn’t recommend it for server usage, I don’t recommend any of the desktops distros (aka distribution) for that matter due to a simple issue. The desktop distros like OpenSuSE, Fedora, Ubuntu , etc have a small support cycle. This means that if you want to have security upgrades you’ll need to be constantly updating your server install.
For usage in a server environment I like to use SLES, RedHat and CentOS. The support cycle is great (at least 5 years), the stability and endurance of the OS is great in any of them.
Once again I prefer SLES, this is due to the great tools and support they provide.However I don’t say the same about RedHat support, whenever I need them I had to find the solution on my own.
These are the two main scopes of Linux distros out there, the desktop and server, but they aren’t the only scopes where you have Linux. For instance if you want to have a firewall, proxy, content filter, qos, and traffic shaping I would recomend the excellent Endian FW (www.endian.it).
If you want to have your linksys/asus and other router working with linux, you may use dd-wrt, would you like to have an older computer as a
media center look at Geex-Box. A hacker distribution so you can test your systems security just download BackTrack. The list can continue and you will be able to find a distribution suited to your needs. Some may need just a live cd or dvd system, other a complete server suite like SME server (that will give you the same offer as Windows small business).
To conclude I don’t think there’s a better distro, there are differences and those differences make some people like one distro over the other.
Personally I like OpenSuSE and SLES.
Cheers,
Pedro Oliveira
by Pedro M. S. Oliveira | Aug 17, 2009 | Linux
Hi,
Some of us use an dynamic DNS service to access our home server or desktop, but with cheap INTERNET access prices you may think in having your own server (these days you can have 100/10MB fiber connection for 50€), that if you don’t like the cloud concept.
But what if you don’t want do use the domain name that your dynamic DNS provider give you (something like myhome.dyndns.org), lets say that you want www.at-my-domain.com. You have two options:
1 – You buy/rent a custom DNS Service (arround 40€/year/domain)
2 – You build your costom DNS server with BIND or TINYDNS.
I’ll write about the second one, but before we start let me tell you the implications this setup has.
1.º – Need root access to the server.
2.º – If you have a lot of domains you’ll have a big DNS overhead, this because you’ll have to have a small TTL (time to live) on the DNS requests you server, this to keep other DNS servers and clients updated.
3.º – Need to have cron running.
4.º – Need to have BIND installed.
5.º- Need a Dynamic DNS service provider for your initial domain, don’t forget to check use wildcard option, check www.dyndns.org, install and configure the client (following the documentation) and test it afterwards.
6.º- Need direct access to port UDP port 53, check your firewall, and hosts.deny file if you use TCP Wrappers.
7.º – This post is not about DNS security, you should read about it and hard your setup furthermore.
I’m going to set this up in a OpenSuSE 11.0 (X86_64) , but this setup should be suitable for other distros with small changes.
Imagine that you have bough the domain starwars-xpto.com
Lets start by BIND configuration and to do this lets edit /etc/named.conf and add the following lines
zone “starwars-xpto.com” in {
file “master/starwars-xpto.com”;
type master;
allow-transfer { any; };
};
now lets create and initial setup file by creating the file:
/var/lib/named/master/starwars-xpto.com
and add some initial content:
$TTL 60
@ IN SOA yourhost.yourdomain.name. root.yourhost.yourdomain.name. (
1249459201 ; serial
10800 ; refresh
3600 ; retry
604800 ; expiry
86400 ) ; minimum
starwars-xpto.com. IN MX 10 mail.starwars-xpto.com.
starwars-xpto.com. IN NS ns1
starwars-xpto.com. IN NS ns2
mail IN A 83.132.158.224
ns1 IN A 83.132.158.224
ns2 IN A 83.132.158.224
*.starwars-xpto.com. IN A 83.132.158.224
After this just reload named:
/etc/init.d/named reload
and test it:
dig @your_dns_server_IP www.starwars-xpto.com
you should get something like:
; <<>> DiG 9.6.1 <<>> @localhost www.starwars-xpto.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55310
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.starwars-xpto.com. IN A
;; ANSWER SECTION:
www.starwars-xpto.com. 60 IN A 83.132.158.224
;; AUTHORITY SECTION:
starwars-xpto. 60 IN NS ns1.starwars-xpto.com.
starwars-xpto. 60 IN NS ns2.starwars-xpto.com.
;; ADDITIONAL SECTION:
ns1.starwars-xpto.com. 60 IN A 83.132.158.224
ns2.starwars-xpto.com. 60 IN A 83.132.158.224
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 17 18:02:31 2009
;; MSG SIZE rcvd: 120
If you got something like that it’s great, you have your BIND configuration working, if not, check the logs. Bind is really picky with the syntax, and by the way you can’t use # as comment in the config file just the ;
Now lets go to the interesting part, creating the script that will change your ip address on bind configuration whenever it changes. Just create a script wherever you want, my custom system scripts are usually in /root/bin so I’ll keep using it.
Lets create and edit the file /root/bin/update_dns not forgetting to change yourdomain_at_dyndns.org
just copy/past the content bellow:
#!/bin/bash
BIND_DIR=’/var/lib/named/master’ ;
DOMAIN=$1;
BIND_FILE=$DOMAIN ;
if [ $# -ne 1 ] ; then
echo Usage: update_dns domain ;
echo EX: update_dns domain.com;
exit ;
fi
function get_ip ()
{
echo `dig yourdomain_at_dyndns.org | grep yourdomain_at_dyndns.org | grep -v ‘;\|CNAME’ | awk ‘{print $5}’` ;
}
function update_dns ()
{
DATA_SEGUNDOS=`date +’%s’`;
DOMAIN_=$1
IP_=$2
BIND_WORK_DIR_=$3
BIND_WORK_FILE_=$4
if [ “$IP_” != “`grep ‘IN.*A’ /var/lib/named/master/$BIND_FILE | grep -v SOA | awk ‘{print $4}’ | uniq`” ] ; then
cat $BIND_WORK_DIR_/$BIND_WORK_FILE_ | sed s/'[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’/$IP_/ > /tmp/$DOMAIN_ ;
cat /tmp/$DOMAIN_ | sed s/'[0-9]\{10\}’/$DATA_SEGUNDOS/g > /tmp/$DOMAIN_.bind ;
cat /tmp/$DOMAIN_.bind
rm $BIND_WORK_DIR_/$BIND_WORK_FILE_ ;
mv -f /tmp/$DOMAIN_.bind $BIND_WORK_DIR_/$BIND_WORK_FILE_ ;
rm /tmp/$DOMAIN_* ;
echo `date +’%b %d %H:%m:%S’` “Domain: $DOMAIN_ updated to IP: $IP_” >> /var/log/messages ;
chmod -R 755 /var/lib/named/master
else
echo “No need for update” ;
fi
}
function restart_dns_server ()
{
if [ ! -f /tmp/restarting_named ] ; then
touch /tmp/restarting_named;
/etc/init.d/named stop;
sleep 3 ;
pkill -9 named ;
sleep 1 ;
/etc/init.d/named restart ;
rm /tmp/restarting_named
else
sleep 10 ;
restart_dns_server ;
fi
}
IP=`get_ip` ;
if [ “$IP” != “`grep ‘[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’ $BIND_DIR/$BIND_FILE | awk ‘{print $4}’ | uniq`” ] ; then
update_dns $DOMAIN $IP $BIND_DIR $BIND_FILE ;
restart_dns_server ;
fi
Finally you just need to setup cron, just type crontab -e
and add an entrace like
*/5 * * * * root /root/bin/updatedns starwars-xpto.com
Just wait the 5 minutes and check if the ip changed with the dig command as wrote above.
After all this and as the last step of configuration go to the domain provider were you bought your domain (ex: www.godaddy.com) and configure it to use as name server the NS1.yourdomain_at_dyndns.org and NS2.yourdomain_at_dyndns.org.
and your done.
This isn’t a easy setup to do but if you have multiple custom domains it can save a few € every year, I know in my case it does.
Cheers,
Pedro Oliveira
by Pedro M. S. Oliveira | Aug 10, 2009 | Linux, Solaris
Sometimes theres a need to use ssh with the password as a command line parameter, I know keys do exist and may be used for a “passwordless” login, I know you may use expect to create a script to type the password for you. But if you just want a plain simple tool to do it you may use plink.
Usually plink isn’t available in the distro (at least with SuSE and Fedora) so you may need to download it’s source and compile it.
Get it from http://the.earth.li/~sgtatham/putty/latest/putty-0.60.tar.gz
Untar it with: tar -zxvf
Sometimes theres a need to use ssh with the password as a command line parameter, I know keys do exist and may be used for a “passwordless” login, I know you may use expect to create a script to type the password for you. But if you just want a plain simple tool to do it you may use plink.
Usually plink isn’t available in the distro (at least with SuSE and Fedora) so you may need to download it’s source and compile it.
Get it from http://the.earth.li/~sgtatham/putty/latest/putty-0.60.tar.gz and follow the commands:
tar -zxvf putty-0.60.tar.gz
cd putty-0.60/unix
./configure ; make ; sudo make install
and your done compiling.
Now lets talk about using plink, you may use plink as a regular ssh client, something like; plink pedro@192.168.1.1 and it will behave as your regular ssh client. Now try plink user@server -pw your_password and “voilá” you logged in. For safety issues type “history -c” (this will cleanup your history).
If you want, and this is the main use of plink, automate and ssh script to run in batch mode as for instance in a cron script your may use something like (lets suppose you have a text file called login_data.txt, with 2 entrances by line separated by spaces, the first entrance will be the host and the second the password) and you want to login with root and execute the command poweroff:
#!/bin/bash
cat login_data.txt | while read LINE ; do
CLEANED=`echo $LINE | tr -s ” ” LINE ; # this will clean the extra spaces
HOST=`echo $CLEANED | cut -d ” ” -f 1`; this will extract the host
PASSWD=`echo $CLEANED| cut -d ” ” -f 2`; this will extract the passwd
plink root@$HOST -pw $PASSWD shutdown ;
done
Just be very careful with permissions on files that have clear text passwords, ideally they shouldn’t exist but sometimes every sysadmin as such needs.
If you want you may check further info on plink on putty web site or by just typing plink on the command line.
The above scrip only works if you had already logged in at least one time (you still need to accept the ssh server key) if you totally want to automate it you may use expect (I’m hopping to write about it sometime soon).
Cheers and see you next time