Author Archive

Xubuntu Remote Desktop (VNC)

Posted by on Friday, 22 May, 2009

Xubuntu 8.10 has no remote desktop / vnc server setup by default.

This will allow us to simply remote desktop the console session (must be logged in to work), which is all I need.

sudo apt-get install x11vnc
x11vnc -storepasswd

Put this into a script and make it executable:

#!/bin/bash
# Start x11vnc, require password, shared sessions, keep running when clients disconnect, and something...
/usr/bin/x11vnc -usepw -shared -forever -noxdamage &

And add to Applications > Settings > Settings Manager > Autostarted Apps


Network Time Protocol

Posted by on Friday, 22 May, 2009

About

The Network Time Protocol (NTP) is a protocol for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks. NTP uses UDP port 123 as its transport layer. It is designed particularly to resist the effects of variable latency (Jitter).

NTP is one of the oldest Internet protocols still in use (since before 1985). NTP was originally designed by Dave Mills of the University of Delaware, who still maintains it, along with a team of volunteers.

NTP: The Network Time Protocol
Network Time Protocol – Wikipeadia
http://www.pool.ntp.org
http://www.pool.ntp.org/zone/nz

Xubuntu

I configure NTP via > Applications > System > Time and Date. Enable/Install NTP server from there.

New Zealand — nz.pool.ntp.org To use this pool zone, add the following:

server 0.nz.pool.ntp.org
server 1.oceania.pool.ntp.org
server 2.oceania.pool.ntp.org

Skip to Sync Time and Start ntpd

Debian Install

apt-get install ntp ntp-simple ntp-server ntp-doc ntpdate
/etc/init.d/ntp stop

Debian Configure ntp.conf

/etc/ntp.conf

# /etc/ntp.conf, configuration for ntpd
# ntpd will use syslog() if logfile is not defined
#logfile /var/log/ntpd
driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
server 0.nz.pool.ntp.org
server 1.oceania.pool.ntp.org
server 2.oceania.pool.ntp.org
# ... and use the local system clock as a reference if all else fails
# NOTE: in a local network, set the local stratum of *one* stable server
# to 10; otherwise your clocks will drift apart if you lose connectivity.
server 127.127.1.0
fudge 127.127.1.0 stratum 13
# By default, exchange time with everybody, but don't allow configuration.
# See /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1 nomodify
# Clients from this (example!) subnet have unlimited access,
# but only if cryptographically authenticated
#restrict 192.168.123.0  mask  255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 172.29.10.255
# If you want to listen to time broadcasts on your local subnet,
# de-comment the next lines. Please do this only if you trust everybody
# on the network!
#disable auth
#broadcastclient

Sync Time and Start ntpd

Sync the system time to MLS’s ntp server.
Sync the system time to the CMOS hardware clock.
Start ntpd.

/etc/init.d/ntp stop
ntpdate msltime.irl.cri.nz
hwclock --systohc
/etc/init.d/ntp start

After several minutes, run the command ntpq -c pe to check that ntpd program is running correctly. The response should be something like this:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+mx1.airstream.n 192.43.244.18    2 u   17   64  377   60.427    6.119  16.022
*ds001.hostingsh 128.250.36.2     2 u   15   64  377   81.001    3.360   2.382
+ns2.tpnet.co.nz 131.107.13.100   2 u    1   64  377   56.908   54.138  32.835

The “reach” column should be greater than 0 and should increase with time (patience is good with ntp) to eventually reach 377 which is as high as it goes. The offset and jitter should not be 0.0000. In case of problems, consult the system log file to see if the program has written an error message.

A Word of Warning

What timezone is correct for your system? It depends on the geographical location of the machine. Getting the correct location is important, but the system must also know how your hardware clock is set. Most DOS based PCs set their hardware clock on Local Time, while most UNIX systems set their hardware clock to UTC.

The Debian GNU/Linux system gains its knowledge of this setting from the file /etc/default/rcS . This file contains either the line UTC=yes, which indicates that the hardware clock is set to UTC, or it contains the line UTC=no, which declares the hardware clock is set to Local Time. If these setting are correct, and the hardware clock is truly set as indicated, then configuring the proper timezone for the machine will cause the proper date and time to be displayed. If these are not set correctly, the the reported time will be quite incorrect. See hwclock(8) for more details on this topic.

Xubuntu is UTC=no, best for a dual boot with Windows setup.

tzconfig

The work done by tzconfig is actually pretty simple. It just copies the correct timezone installed in /usr/share/zoneinfo/ to /etc/localtime and puts the name of the timezone into /etc/timezone .

There is nothing wrong with doing this manually. However, using tzconfig you don’t have to remember the path to the timezones.

Link to my wiki on Network Time Protocol configuration [hydrogen.net.nz]


Throttle SSH Connections

Posted by on Friday, 22 May, 2009

I run this on my VPS to throttle SSH connections from dictionary attacks (OR disable keyboard based auth and alow only shared keys. No key, no access!).

Configure your services properly rather than relying on a firewall to secure you against lazy configurations. This is all I use IPTables for.

/etc/network/iptables.conf

#!/bin/bash
# iptables script.
#
# These lines are here in case rules are already in place and the script is ever rerun on the fly.
# We want to remove all rules and pre-exisiting user defined chains and zero the counters
# before we implement new rules.
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/ip6tables -F
/sbin/ip6tables -X
/sbin/ip6tables -Z
# Drop all IPv6 connections.
/sbin/ip6tables -P INPUT DROP
# Create SSH chain.
/sbin/iptables -N SSH
/sbin/iptables -A SSH -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP
/sbin/iptables -A SSH -p tcp -m state --state NEW -m recent --set
/sbin/iptables -A SSH -p tcp -j ACCEPT
# Jump ssh trffic to SSH chain.
/sbin/iptables -A INPUT -p tcp --dport 22 -j SSH