SSH over HTTP Proxy

Using SSH to connecting to an host when an HTTP Proxy is between the client and the host, can not be done directly without some configuration.

On Linux based machines the solution is to install and run corkscrew, a program that can tunnel the SSH protocol through an HTTP Proxy.

So how to do the configuration?

1) First install the corkscrew program with your package manager. On Ubuntu family: apt-get install corkscrew

2) Then you need to configure SSH to use corkscrew when connecting to the host that has a http proxy between.

3) Goto to your home directory and change to the hidden directoy .ssh within a command shell window.

4) Create or edit a file named config. The name is just config. No extensions.

5) Add the following lines to the config file

Host <IP_of _remote_host>  
 ProxyCommand corkscrew <IP_of_HTTP_Proxy> <HTTP_Proxy_Port> %h %p <auth_file>

Where the <IP_of_remote_host> is the public ip address of the host where you wish to connect.

The <IP_of_HTTP_Proxy> and <HTTP_Proxy_Port>  are the IP address and Port of you local http proxy server that you wish to go through.

And finally, if your proxy server requires authentication, by username and password, just give a complete path to a file where Proxy credentials are stored, for example /home/primalcortex/.corkscrew_auth

This file content must be something like:

username:password

For example a complete config file example:

Host 78.0.1.3
    ProxyCommand 192.168.1.1 8080 %h %p /home/primalcortex/.corkscrew-auth

and the .corkscrew-auth file:

myproxyuser:rtwertjwe4

6) Just connect now:

ssh myremoteuser@78.0.1.3

or when not using the default ssh port:

ssh -p 12345 myremoteuser@78.0.1.3

7) Done!

So why we need this?

Well, first is of course, to access a remote machine, but ssh can forward local ports to remote ports, and this is important because, with this feature we can use Thunderbird to directly connect to a remote server by using the standard IMAP and SMTP protocols through an HTTP proxy.

MySQL on a Ubuntu VPS

Using the great site lowendbox.com I’ve “bought” a Ubuntu based VPS (Virtual Private Server) so that I can use for my testings…

Anyway, I needed to install MySQL database on this Ubuntu Server based VPS, which is simply done by running the following command:

apt-get update
apt-get install mysql-client mysql-server

During the installation process a password for the root user is required. Just make sure that it’s strong enough (Hint: use keypass password generator…)

After installing and running the MySQL server is available at port 3306 and normally only available at the loopback address. But anyway I’ve changed the local firewall rules to block all connections to port 3306 from outside the loopback adapter: Just edit the /etc/rc.local file and add the following lines before the exit 0 command

iptables -A INPUT -p all -s localhost -d localhost -j ACCEPT
iptables -A INPUT -p tcp --destination-port 3306 -j REJECT

Then as the root user just run the file: /etc/rc.local and make sure that the rules are active:

root@vpss:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  localhost.localdomain  localhost.localdomain 
ACCEPT     all  --  localhost.localdomain  localhost.localdomain 
ACCEPT     all  --  localhost.localdomain  localhost.localdomain 
ACCEPT     all  --  localhost.localdomain  localhost.localdomain 
REJECT     tcp  --  anywhere             anywhere             tcp dpt:mysql reject-with icmp-port-unreachable
ACCEPT     all  --  localhost.localdomain  localhost.localdomain 
ACCEPT     all  --  localhost.localdomain  localhost.localdomain 
ACCEPT     all  --  localhost.localdomain  localhost.localdomain 
ACCEPT     all  --  localhost.localdomain  localhost.localdomain 
REJECT     tcp  --  anywhere             anywhere             tcp dpt:mysql reject-with icmp-port-unreachable

And that’s it.

Now we need a backup policy so that anything goes wrong, at least we have some data to recover…

 

 

Openssl on [K]Ubuntu and the SSLv2 protocol

While troubleshooting a problem related to TLS/SSLv2/SSLv3, I’e found out, that for security reasons, all support for SSLv2 on Ubuntu’s openssl package was removed.

Check out this: http://security.sunera.com/2011_02_01_archive.html for more information. This is very important if using Ubuntu as the OS for running vulnerability scanning, because the lack of SSLv2 support from Ubuntu’s openssl package will always give false negative results for a site with enabled SSLv2 support…

So if there is the need to check for SSLv2 support and or SSLv2 vulnerability scanning using Ubuntu as the host OS, then download, compile and use the OpenSSL sources.

Just for reference: How to check for:

TLS -> openssl s_client -tls1 -connect 10.0.0.0:443

SSLv2 -> openssl s_client -ssl2 -connect 10.0.0.0:443

SSLv3 -> openssl s_client -ssl3 -connect 10.0.0.0 -port 443  -showcerts

Visio alternative for Linux

We really know that Visio for Linux will never be a reality, and so all we have right now is some tools, that from usability point of view or features, are limited: DIA and Kivio 1.6

The new version of Kivio, in the foreseen future on the Calligra suite, is being worked on, and might be a reality, but with unknown stencils/icons.

I’m not the only one, that for work reasons, has this need, as this post on Reddit shows: http://www.reddit.com/r/linux/comments/ewhy5/alternatives_to_dia/

There are here great alternatives, some free, some limited, that can be used to make at least good looking diagrams without resorting to a virtual machine running Windows and Visio:

1) http://www.gliffy.com

2) http://www.lucidchart.com

3) http://www.mxgraph.com/

Private Dokuwiki on multiple computers using Dropbox

Dropbox is a great tool, and due to it’s file sync capabilities it has a lot of possibilities to create “hack” solutions like the one that I’m going to describe here:

If you have a personal Wiki that you want to share between several computers, the usual “normal” way of doing so is to setup a 24/7 Web Server with Apache/Lighttpd and, in my case, installing Dokuwiki. Then the client PC’s to access the Wiki all they have to do is tto point their browser to access this web server. But what this means is that you really need to have a web server available 24/7 even  if not using it… And where to locate this web server? At my home? Pay hosting fees? And if I don’t have connection to it? And so on…

The solution is using Dropbox as your data repository for DokuWiki Content. Content is always available and replicated automatically on all computers, even if you don’t have internet access. You can even share your Wiki privately with your friends/family/colleagues by inviting them to the Wiki folder… and off course setting up Lighttpd on their computers.

How it works:

I’m using Lighttpd as the web server. For personal use is more than enough and it supports PHP5 and Dokuwiki just fine. Lighthttpd is installed in all computers that access the wiki.

The installation steps for Ubuntu/Kubuntu and derivatives are the following:

1) Install Lighttpd, php5 and dokuwiki packages: apt-get install lighttpd php5-cgi dokuwiki.

During installation of dokuwiki, it will be asked what web server should be configured automatically, namely Apache or lighttpd. We must choose the later, lighttpd by pressing space (so that a * should appear) and, if Apache is not installed, deselect Apache.

The following question is if, in case of dokuwiki package removal, should the wiki content ALSO be removed… We should answer NO.

Then, finally, the wiki admin password is asked.

After installation, the lighttpd server should start automatically, and using a browse the local web page http://localhost should show the default web server page.

Then follow these instructions http://redmine.lighttpd.net/wiki/lighttpd/TutorialLighttpdAndPHP#Configuration to enable Lighttpd with PHP5.

Basically is to edit the php.ini file that’slocated in /etc/php5/cgi/php.ini and the lighttpd.conf file located on /etc/lighttpd directory. These changes must be done as the user root (use sudo -s on a command shell).

Make sure that when pasting the fastcgi.server section into the lighttpd.conf file, the “bin-path” entry points to the php5-cgi binary, normally located at /usr/bin/php5-cgi

Save and restart the lighttpd server with the command /etc/init.d/lighttpd restart

2) Copy /usr/share/dokuwiki to /var/www with the following command:  cp -R /usr/share/dokuwiki /var/www and make sure the permissions are correct: chown -R www-data:www-data /var/www/dokuwiki

Note that the first copy command there are no trailing slashes.

3) You can rename the folder from dokuwiki to other name, like wiki, for example to change the URL. This is optional.

4) Create the Dokuwiki data directory on your Dropbox: mkdir -p ~/Dropbox/wiki/data This should be done in only ONE computer, the others will synchronize automatically.

5) Change the permissions on the directory: sudo chown -R www-data ~/Dropbox/wiki/data This should be done in ALL computers.

6) Edit the Dokuwiki configuration file dokuwiki.php located in /etc/dokuwiki and change the value of the line $conf[‘savedir’] to the data location on the dropbox folder. In my case I changed the default value from $conf[‘savedir’]=’/var/lib/dokuwiki/data’; to $conf[‘savedir’]=’/home/primalcortex/Dropbox/wiki/data’;

You must do this in all computers, only, probably, changing the Dropbox location. If you’re using the same username on all computers, just copy the file between them using Dropbox…

And that’s it. Accessing now the URL http://localhost/dokuwiki uses now the local lighttpd web server with all data synchronized between computers, and it works EVEN when offline. 

You now can invite your work colleagues to this folder, and have all data available at all times to anyone that uses the same scheme.

EDIT: You may find the following error when using the Wiki based on your Dropbox directory: The datadir (‘pages‘) does not exist, isn’t accessible or writable. You should check your config and permission settings.

The problem is file/directory permissions, because the user www-data used by lighttpd can’t access your home directory/Dropbox directory.

There are two solutions, being the easy one to add the www-data user to your own group, in my case the group named primalcortex.

The other solution is to add the following permissions: chmod o+x /home/username and chmod o+x/home/Dropbox

The first solution will be better because Dropbox software can or might change the Dropbox directory permissions. Just make sure that your home directory permissions are 750.

Firefox and Dropbox syncronization for Bookmarks and Passwords

EDIT: Mozilla Weave is OK now and I fully use it. No hacks anymore, so the rest of this post is here for historical reasons: Just use Mozilla Weave.

After upgrading from Mozilla FireFox 3.0 to 3.5 I tried Mozilla Weave for syncing my bookmarks and passwords in all my computers. I was using version 0.8 (1.0b1 is out now), but despite working more or less, most of my bookmarks where misplaced, put out of order, moved to unsorted bookmarks… a mess. Tiding up the bookmarks on one browser doesn’t mean that it would be ok on another, so after only 5 days of use, I thought that there is probably a better solution, and I found it.

The solution is to use Dropbox https://www.dropbox.com/referrals/NTE1NTQzMTA5, the FireFox Addon SyncPlaces: http://www.andyhalford.com/syncplaces/ for synchronizing bookmarks and passwords. It works as it should. It doesn’t mess with Bookmarks, the order is kept, Icons are kept, and passwords are synchronized without any issue.

So, what are the steps:

– Install Dropbox and create an account.

– Install the Syncplaces add-on for Firefox

– Create a directory for storing Firefox information on your Dropbox folder, for example: mkdir ~/Dropbox/Firefox

– On your Firefox menu, goto Bookmarks->Syncplaces->options

– Select the Server tab and then select on the Connection sub-tab, the protocol File

– Select now the Syncronization tab, and define the path for the files: prefix the suggested name with /home/primalcortex/Dropbox/Firefox. So it should look like

JSON PATH: /home/primalcortex/Dropbox/Firefox/syncplaces.json

If you want, you can output also in HTML and XBEL format. Use the same path for the files.

– For synchronizing passwords select the check-box passwords, and input a strong password. The password path is like the previous ones: /home/primalcortex/Dropbox/Firefox/passwords

You’re set. So down on the FireFox status bar, there is now an icon with a blue and red lines/circles, right click on it and select Send Bookmarks/passwords. Make sure that on the Dropbox Firefox folder files where created. Now DropBox synchronizes these files into the “cloud”, and they are available to your other Dropbox computers.

On the other computers, just repeat the configuration process (Install Dropbox, SyncPlaces, same configuration) but this time select on those computers on the SyncPlaces icon, the Receive Bookmarks/passwords option. (Make sure that you use the same password for the password export/impor feature in all computers).

Voilá, full no fuss workable synchronization! You just decide now which is the master machine, if you want to, namely by tweaking the merge options of the Syncplaces Addon. Also to avoid bookmarks duplication, I recommend that the BookmarkDD addon at http://bookmarkdd.mozdev.org/installation.html be installed and set not to do pop-ups when duplicated bookmarks are found. This way, during import, no duplicate bookmarks are imported.

Now you can automate the synchronization process by just configuring Syncplaces to synchronize at a specific time, or periodically/automatically and your set.

Vmware 6.5.3 on Karmic Koala

Installing: At least these instructions worked for me:

#sudo bash
#chmod +x VMware-Workstation-6.5.3-185404.x86_64.bundle
# export VMWARE_SKIP_MODULES=true
#./VMware-Workstation-6.5.3-185404.x86_64.bundle
# vmware-modconfig --console --install-all

Voilá, installed Vmware without any issue. I’ve compiled the modules after installation because there are reports that it may hang by using the installer. Not sure, because I didn’t tried it. All VM Machines appear to be working.
Now for the other issues:

After upgrading from Kubuntu 9.04 to 9.10, I needed to upgrade to Vmware Workstation 6.5.3 as is the subject of this post… My previous version was 6.5.0. With this upgrade some older issues where back and new issues appeared…

– Keyboard mapping where again all wrong, with my Portuguese keyboard wrongly configured and some keys wouldn’t just work.

– The other annoying issue was the grab/ungrab mouse cursor problem. Kubuntu task bar area and the floating vmware toolbar area where unusable when the VM machines are in full screen. So for example the Windows task bar is, when the machine is full screen, at the same screen area than the KDE taskbar. The cursor on this area just flickered away like mad, and it was pretty difficult to do anything on this area. This also mean that Windows taskbar and systray where almost unusable and unacessible, and just couldn’t do anything on this area. The temporary workaround was to use machines not in full screen…
The solutions:
For the keyboard problem, on my home directory, just went to .vmware hidden directory (create one if it doesn’t exist) and add the following to the file named config:

xkeymap.nokeycodeMap = true
xkeymap.keycode.61 = 0x035
xkeymap.keycode.61 = 0x5f
xkeymap.keycode.47 = 0x027
xkeymap.keycode.47 = 0xc7
xkeymap.keycode.48 = 0x028
xkeymap.keycode.48 = 0xaa
xkeymap.keycode.51 = 0x02b
xkeymap.keycode.51 = 0xfe52
xkeymap.keycode.34 = 0x01a # +
xkeymap.keycode.34 = 0x2a # *
xkeymap.keycode.35 = 0x01b # ´
xkeymap.keycode.35 = 0xfe50 # `
xkeymap.keycode.20 = 0x00c # ‘
xkeymap.keycode.20 = 0x3f # ?
xkeymap.keycode.21 = 0xab # «
xkeymap.keycode.21 = 0xbb # »
xkeymap.keycode.49 = 0x029 # \
xkeymap.keycode.49 = 0x056 # |

xkeymap.keycode.108 = 0x138 # Alt_R
xkeymap.keycode.106 = 0x135 # KP_Divide
xkeymap.keycode.104 = 0x11c # KP_Enter
xkeymap.keycode.111 = 0x148 # Up
xkeymap.keycode.116 = 0x150 # Down
xkeymap.keycode.113 = 0x14b # Left
xkeymap.keycode.114 = 0x14d # Right
xkeymap.keycode.105 = 0x11d # Control_R
xkeymap.keycode.118 = 0x152 # Insert
xkeymap.keycode.119 = 0x153 # Delete
xkeymap.keycode.110 = 0x147 # Home
xkeymap.keycode.115 = 0x14f # End
xkeymap.keycode.112 = 0x149 # Prior
xkeymap.keycode.117 = 0x151 # Next
xkeymap.keycode.78 = 0x46 # Scroll_Lock
xkeymap.keycode.127 = 0x100 # Pause
xkeymap.keycode.133 = 0x15b # Meta_L
xkeymap.keycode.134 = 0x15c # Meta_R
xkeymap.keycode.135 = 0x15d # Menu

Now if you copy and past the above content, just make sure that x is an ‘x’ letter, because WordPress may change it to something else that looks like an x but it isn’t. If you don’t due this, when you press a mapped key on VMware, you will get a popup window with an error complaining about a key code.
For the mouse issue, it looks like that the solution is this:
Temporary fix (solution from http://communities.vmware.com/thread/240766):

Open a shell window and start vmware from it with as follow:

#export VMWARE_USE_SHIPPED_GTK=yes

#export LD_PRELOAD=/lib/libglib-2.0.so.0

#vmware

It seems that to make the first two lines permanent, you just, as root, edit the following file: /etc/vmware/bootstrap and add the first to lines to the end of the file.
I hope that all issues are covered now….

Shorewall firewall on UBUNTU LTS 8.04 server doesn’t start on boot

I have in one of my machines a pretty annoying situation related to the fact if the UBUNTU based firewall reboot’s, the firewall doesn’t start automatically…

This is pretty annoying because it means that after a power failure, there is a need for manual intervention to restore exterior access trough the firewall to internal servers.

[EDIT] The problem is that the firewall is started from the init scripts and it is running, but the rules for port forwarding are not active. You need to make sure that the following options are enabled on the shorewall.conf

STARTUP_ENABLED=Yes

IP_FORWARDING=On

[K]Ubuntu kernel upgrade breaks vmware

When after a kernel update from the repositories or pushed by the adepter updater, vmware refuses to start, you have to run the vmware-config.pl script again.

[K]Ubuntu and Netbeans 6.1 with Firefox 3.0

One annoying things that took some time to solve was that on the Start page of Netbeans there are URL’s to several articles, blog posts and so one, but every time I’ve pressed one of the it say’s that it could not execute Firefox.

I’ve checked the path, permissions, and so on but with no solution.

Well the issue is quite simple:

Goto Netbeans Tools menu and select the last option Options. It should start on the general tab where you select the browser you which to use.

Select Edit and on the arguments for Firefox remove whats there: -remote “openURL({URL})” and just keep the {URL} nothing else.

Save, close and it should work.

Now back to work…