Howto: Install Redmine 1.4 using MySQL on Debian 6 (Squeeze)

These notes are mostly because I had a hard time figuring this out – I ran in to all kinds of stupid errors. But here I present, a guide for installing Redmine 1.4 on Debian – a guide that actually works!

This guide assumes that you have a working MySQL server.

You need a bunch of packages, start by installing those:

apt-get install ruby libruby libopenssl-ruby libpgsql-ruby \
rubygems apache2 libapache2-mod-passenger subversion libmagick9-dev libmysqlclient-dev

Next, create appropriate folder and download redmine:

cd /var/www
svn co http://redmine.rubyforge.org/svn/branches/1.4-stable redmine
cd redmine

Now you need to create a user and a database in MySQL. Then continue by copying the database config sample and editing it:

cp config/database.yml.example config/database.yml
vi config/database.yml

You want to change the stanza for production:

production:
  adapter: mysql
  database: redmine
  host: localhost
  username: redmine
  password: YourPasswordForMySQL
  encoding: utf8

Save that.

Next, you need to change the Gemfile, because we don’t need sqlite and pgsql.

vi Gemfile

Then remove the following things:

platforms :mri, :mingw do
  group :postgresql do
    gem "pg", ">= 0.11.0"
  end

  group :sqlite do
    gem "sqlite3"
  end
end

And these:

  group :postgresql do
    gem "activerecord-jdbcpostgresql-adapter"
  end

  group :sqlite do
    gem "activerecord-jdbcsqlite3-adapter"
  end

Next, time to upgrade gem

REALLY_GEM_UPDATE_SYSTEM=1 gem update --system

Install bundler

gem install bundler
bundle install --without development test

Initialize session store. Ignore the warning about RDoc

RAILS_ENV=production rake config/initializers/session_store.rb
rake generate_session_store

Make the database:

RAILS_ENV=production rake db:migrate
RAILS_ENV=production rake redmine:load_default_data

Set appropriate permissions

chown -R www-data:www-data *
chmod -R 755 files/ log/ tmp/ public/plugin_assets/

Create an Apache virtual host with the following content:

<VirtualHost *:80>
ServerName your.domain.tld

DocumentRoot /var/www/redmine/public
PassengerDefaultUser www-data
RailsEnv production
RailsBaseURI /redmine
SetEnv X_DEBIAN_SITEID "your.domain.tld"

<directory /var/www/redmine>
Order allow,deny
allow from all
AllowOverride all
Options -MultiViews
</directory>
</VirtualHost>

That’s it! You’re done!

Posted in Linux, Nerdy | Comments closed

Linux LVM – how to!

 

 

I will run through some use cases for using LVM. I will begin by giving an easy-to-understand description of how LVM works. Followed by how to set up the first volume group and logical volume and I’ll end it with info on how to extend an existing partition using ext3, ext4 and XFS.

At first, a drawing to visualize what LVM is all about:

Let’s describe them from the bottom and up:

Physical Volumes (PV): These are disks. There is a single LVM partition on each disk. LVM will automatically create this! These can also be RAID devices. If you run a software raid, you can simply add /dev/mdX devices. Or if you use SAN you can add the devices presented to your OS. Basically, any raw device will do.

Volume Groups (VG): The volume group are groups of physical volumes. The total size of the volume group equals the total size of all disks added to the group.

Logical Volumes (LV): These are slices of the volume group. I can decide the size of these exactly as I like and it does not matter if I  exceed the size of a single hard disk – LVM will take care of that. The operating system will through the device mapper see the logical volumes so you can add your filesystem of choice.

File Systems: The name is pretty much self explanatory. You can choose your favorite file system, e.g. ext4 and then just make the filesystem.

Let’s get down to business!

You should have a basic understanding of how LVM works by now.  This is the setup I will be using for testing:

Redhat Enterprise Linux 6
LVM  version 2.02.87
Virtualized in Virtual Box environment
4 vDisk: 20 GB for OS, 3 x 10 GB for LVM testing

Operating system on top of LVM

You can do that. In fact, it’s quite normal. There is just one partition you must create on your disk outside of LVM; your /boot disk. Otherwise it’s fine to use LVM. One good thing is that you can slice your disk into small pieces and then easily add disk space to partitions that need it – if you run out of space.

It makes good sense to put e.g. /var on a separate partition to avoid logfiles getting filled up, thus stalling your entire OS. Anyway, this is about LVM, back on track.

This is the layout for my operating system disk:

Device Mountpoint Size
/dev/osvg/root / 5G
/dev/sda1 /boot 200M
/dev/osvg/home /home 1G
/dev/osvg/var /var 2G
/dev/osvg/swap swap 2G

osvg is the volume group.

Now, let’s say I purchased a new hard disk, it’s 10G in size. I want to have 2 partitions; one for pictures and one for movies. Of course movies need more size than pictures, so I’d like to split it 30/70.

I could simply partition it and then done with that. But let’s use LVM instead. I start by adding my new disk to the LVM as a PV:

[root@tutsrv01 ~]# pvcreate /dev/sdb
Writing physical volume data to disk "/dev/sdb"
Physical volume "/dev/sdb" successfully created

Great, so now LVM knows about my disk. I can verify that with pvdisplay, to see physical volumes the LVM knows:

[root@tutsrv01 ~]# pvdisplay
  --- Physical volume ---
  PV Name               /dev/sda2
  VG Name               osvg
  PV Size               14.15 GiB / not usable 0
  Allocatable           yes
  PE Size               4.00 MiB
  Total PE              3622
  Free PE               1122
  Allocated PE          2500
  PV UUID               msF4tW-JcB1-obDQ-WjPI-2oPl-H8wi-ybEhzj

  "/dev/sdb" is a new physical volume of "10.00 GiB"
  --- NEW Physical volume ---
  PV Name               /dev/sdb
  VG Name
  PV Size               10.00 GiB
  Allocatable           NO
  PE Size               0
  Total PE              0
  Free PE               0
  Allocated PE          0
  PV UUID               A5Kqvj-tECM-W2Q6-QBDP-l4Lr-nZxb-hhFn2G

Great, so I want to create a volume group for my media files. I’ll call it media – and I want to use the /dev/sdb PV for it

[root@tutsrv01 ~]# vgcreate media /dev/sdb
  Volume group "media" successfully created
[root@tutsrv01 ~]# vgdisplay media
  --- Volume group ---
  VG Name               media
  System ID
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  1
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                0
  Open LV               0
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               10.00 GiB
  PE Size               4.00 MiB
  Total PE              2559
  Alloc PE / Size       0 / 0
  Free  PE / Size       2559 / 10.00 GiB
  VG UUID               3VGq1Y-tsNi-EIyC-THYs-2wjT-uyOO-lRirqB

As you can see I created it and it has free space in it.  Next step is to create my two logical volumes for my data:

[root@tutsrv01 ~]# lvcreate -L 3G -n pictures media
  Logical volume "pictures" created
[root@tutsrv01 ~]# lvcreate -l+100%FREE -n movies media
  Logical volume "movies" created

You may notice that the two are created in different ways. You use -L for defining a size, whereas you use -l to define a percentage. The first partition I created 3 gigabytes large, and then I just want to have the other one 7 gigabytes – but as you may know, it can be tricky to just hit that exact number. Instead I tell it to just use 100% of the free space in the Volume group.

Now I need to build the filesystem on my logical volumes. I’ll use ext4

[root@tutsrv01 ~]# mkfs.ext4 /dev/media/pictures
[root@tutsrv01 ~]# mkfs.ext4 /dev/media/movies

I removed the output. Now I’m ready, so lets add these to fstab and mount them

[root@tutsrv01 mnt]# mkdir /mnt/pictures /mnt/movies
[root@tutsrv01 mnt]# echo "/dev/media/pictures /mnt/pictures ext4 noatime 1 2" >> /etc/fstab 
[root@tutsrv01 mnt]# echo "/dev/media/movies /mnt/movies ext4 noatime 1 2" >> /etc/fstab
[root@tutsrv01 mnt]# mount -a
[root@tutsrv01 mnt]# df -h
--SNIP--
/dev/mapper/media-pictures
                      3.0G   69M  2.8G   3% /mnt/pictures
/dev/mapper/media-movies
                      6.9G  144M  6.4G   3% /mnt/movies

Great! After some time I run into this:

/dev/mapper/media-pictures
                      3.0G  2.6G  302M  90% /mnt/pictures
/dev/mapper/media-movies
                      6.9G  6.0G  550M  92% /mnt/movies

Let’s extend the drive. I have purchased 2 new disks, cause I don’t want to run out of space very soon. They’re called /dev/sdc and /dev/sdd. I want to add 6G to pictures and the rest to movies.

[root@tutsrv01 ~]# pvcreate /dev/sdc /dev/sdd
  Writing physical volume data to disk "/dev/sdc"
  Physical volume "/dev/sdc" successfully created
  Writing physical volume data to disk "/dev/sdd"
  Physical volume "/dev/sdd" successfully created

[root@tutsrv01 ~]# vgextend media /dev/sdc /dev/sdd
  Volume group "media" successfully extended

[root@tutsrv01 ~]# lvextend -L+6G /dev/media/pictures 
  Extending logical volume pictures to 9.00 GiB
  Logical volume pictures successfully resized

[root@tutsrv01 ~]# lvextend -l+100%FREE /dev/media/movies 
  Extending logical volume movies to 20.99 GiB
  Logical volume movies successfully resized

So they have been extended now. Notice that the lvextend command uses a + because we are adding the diskspace. I could also avoid the + if I’d rather decide an absolute size.

Let’s resize the filesystem. ext4 supports doing this online:

[root@tutsrv01 ~]# resize2fs /dev/media/pictures 
resize2fs 1.41.12 (17-May-2010)
Filesystem at /dev/media/pictures is mounted on /mnt/pictures; on-line resizing required
old desc_blocks = 1, new_desc_blocks = 1
Performing an on-line resize of /dev/media/pictures to 2359296 (4k) blocks.
The filesystem on /dev/media/pictures is now 2359296 blocks long.

[root@tutsrv01 ~]# resize2fs /dev/media/movies 
resize2fs 1.41.12 (17-May-2010)
Filesystem at /dev/media/movies is mounted on /mnt/movies; on-line resizing required
old desc_blocks = 1, new_desc_blocks = 2
Performing an on-line resize of /dev/media/movies to 5501952 (4k) blocks.
The filesystem on /dev/media/movies is now 5501952 blocks long.

Voila!

/dev/mapper/media-pictures
                      8.9G  2.6G  5.9G  30% /mnt/pictures
/dev/mapper/media-movies
                       21G  6.1G   14G  31% /mnt/movies

Now that you’re hopelessly in love with LVM, you should definitely start using it and stop making excuses. There are other great features such as snapshotting – but I’m sure that you can’t wait diving into the manpages. Have fun!

Posted in Linux | Comments closed

Updated set of must-have apps for your Mac

Back in 2009 I wrote a post about the apps you must have for your Mac. Time changes, new apps are born and I discover new stuff. So this is my new updated list of the Must-Have apps I will recommend you to get if you do not already have them.

1Password

This software is simply awesome! 1Password makes it possible for you to store all your passwords securely and gives you the ability to easily use those logins from your browser. Furthermore you can store credit card information in it, and it will be able to fill that out for you too.

Adium

I still think that Adium is the best instant messating app for your Mac. It supports most IM protocols, and that’s about what there i to day.

BetterZip

For unpacking a wide range of archives, BetterZip really gets the job done easily.

Camtasia

If you make instruction video or any other kind of screencast, Camtasia is without doubt the best application for recording these sessions I have used. Not only is it very easy to start recording, it also offers to record your mic and/or the system audio. Also, editing your work afterwards is very easy.

CoRD

While I think that Windows is a useless OS, CoRD is the best app for remote controlling those computers/servers running Windows via RDP.

Divvy

Being and old GNU/Linux desktop user, there were some things I have missed on OS X in regard to managing application windows. Divvy really makes this task easier. It gives you the ability to arrange your windows very easily and with a click on a keyboard shortcut.

Hands Off!

Control which applications has access to the internet and to write files on your disk. If you’re a security paranoid like me, you will love this.

iStat Menus

Keep an eye on your CPU, Disk, memory and network usage at all times right in your menu bar. Highly customizable and has a nice simple design.

LimeChat

The IRC client to rule them all. The themes are created using standard CSS. It also gives you a small preview window which shows you everything going on in all channels you are joined in. Great if you’re curious.

Keynote

PowerPoint.. seriously..met… the boss! Nuff’ said.

NaviCat (for MySQL)

If you manage MySQL databases and you’d like something a little nicer than phpMyAdmin and you’d like something to use for building and testing queries easily, this is the tool you want.

Transmit

Connect to FTP/SFTP/DAV/S3 either in Transmit or mount them as a drive. This just works beautifully and is extremely easy to use. Panic really did a great job here!

Posted in Mac | Comments closed

SFTP only chroot users with OpenSSH in Debian

From OpenSSH version 4.9 and up it is now possible to create chrooted SFTP-only users with OpenSSH without the need for any add-ons.

In my example i want all users within the “sftp” group to hit /srv/sftponly.  This can be done on userlevel or on group level. I will be using groups.

At first, use your favorite editor to ecit /etc/ssh/sshd_config and find the line starting with “Subsystem sftp” (usually at the bottom) – change it so it looks like this:

Subsystem sftp internal-sftp

Next, we need to add the rule to match users. Add this to your sshd_config at the bottom:

Match Group sftp
PasswordAuthentication yes
ChrootDirectory /srv/sftponly
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

Now add the sftp group:

groupadd sftp

Add our first user:

useradd -d /srv/sftponly -g sftp -s /bin/false <username>
passwd <username>

Now, restart openssh:

/etc/init.d/ssh restart

And you should be all set. Use your favorite SFTP editor to test. Also try logging on via SSH to make sure that the user does not have access to do that.

Troubleshooting

Along your way some problems might occur. I will try to address the most common ones here. At first what you want to do is enable debugging in openssh so you can see in the logs what happens. Edit /etc/ssh/sshd_server – find “LogLevel” and change the setting to “DEBUG” – and restart ssh. The problems below are shown either in these logs or in the output of the “sftp” command from the client. When using the sftp client be sure to add the “-v” flag for verbose output.

Problem: fatal: bad ownership or modes for chroot directory component “/”
Fix: chmod 755 /

Problem: fatal: bad ownership or modes for chroot directory “/srv/sftponly”
Fix: Folders in the path along the way must be owned by root:root and must not be writable by anyone but root. This is because the directory we are going to use will be the root of the new users.  In my example the fix would be: chown root:root /srv ; chown root:root /srv/sftponly ; chmod 755 /srv ; chmod 755 /srv/sftponly”

Problem: Everything seems to be OK.. The users just don’t get access.
Fix: Make sure that you don’t have any whitespaces in your sshd_config after the configuration lines. In my case this caused a real pain.

Hit me a comment if you experience anything strange.

Setting UMASK for SFTP users

Add this line to /etc/pam.d/sshd:

session    optional     pam_umask.so umask=0002

This particular line will make new files/folders user and group writable.

Posted in Hosting, Nerdy, Security | Comments closed

Do you make backup? – If you do, is your backup strategy safe?

I think server backups here.

As a server administrator, there are a lot of concerns and one of the bigger ones is security. I know a whole lot of server administrators, and when I did a Q&A to know about their backups I was astonished to find out that more than 30% of them did not even take backup. I got a lot of responses and there are many ways of handling your backup, but a lot of them are very very wrong and will not do you any good in case of an emergency.

Do you even back up?

If you do not back up your data, what will you do in case of a hardware failure? Sure, you might be running a RAID, but a RAID is no guarantee, a RAID can break and then you will loose the game.

If you do not take backup, what will you do in the event of a fire breaking loose and destroying everything where ever your server is placed? Is your data valuable to you?

How do you back up?

Making backup is good. But how do you save your backup on the remote host? A few common ways of making backup is via FTP/SFTP/rsync. So, now you’re safe, right? If a fire breaks out, water disaster, disks die and so on, you will have your backup. And that’s good.

If your backup is automated, then your client somehow authorized to the backup server. In most of the above mentioned cased that authentication gives you full access to the backup data! Why is that bad?  It is because an attacker that has success gaining access to your server, will be able to emulate the authentication of the automated backup and therefore be able to delete both production data AND backup data.

How much is your backup worth now?

Posted in Hosting, Security | Comments closed

Howto: APC UPS and Debian

So, I have a couple of NAS boxes and a laptop as server running at home. It’s all good until thunder appears. There are multiple risks with this. If the lightning strikes it can cause large surges of electricity that will destroy your equipment, if a power loss occurs it can cause the two RAID5 setups to die and it will cause major data loss.

A couple of days ago I bought a UPS and set it up and now I figured I should also set it up. So I did some reading and this is my result served to make it easier for you.

In this guide, this setup is used:
– Computer with GNU/Linux Debian Lenny
–  APC Back-UPS 800

The software I use is apcupsd which is in the Debian repository. Start by installing it:

apt-get update && apt-get install -y apcupsd

The next thing is to configure it. I did a whole lot of reading the manual for apcupsd to make sure I did things right. When your UPS is set up, hook the USB cable into your server.

Go to /etc/apcupsd and edit the file apcupsd.conf

My UPS and most of the newer UPS’es form APC uses USB to interface with the server, and that makes it easier for us to talk to it. These are the parameters I have set:

UPSCABLE usb

Define that we use a USB connection to the UPS.

UPSTYPE usb
DEVICE

Set the type to usb and leave the DEVICE property empty. By that it will find out where it is located by itself, and since we use USB it can do that.
ONBATTERYDELAY 5
BATTERYLEVEL 10
MINUTES 10
These three you should set to fit your needs. How generous you can be really depends on the amount of power you have versus the amount of power you use. My setup uses up around 85 watts, and since I have 800 VA I can keep it running for quite a while. On the product page for your UPS (if it is a APC) you will find a graph that tells you how long you can have it running depending on how much power you use. If you do not have any idea whatsoever about your power usage, you should get an energy meter and measure it first. If you have an idea, buy an appropriate UPS and set the levels as above. Later I will test the communication to the UPS and that will tell you how long it can keep you running – which also means you will know how to set your thresholds.
Now, these were all the customizations I did to the config file. Edit the file /etc/default/apcupsd:
ISCONFIGURED=yes
If you do not do this, it will refuse to start. Next, start it:
/etc/init.d/apcupsd start
Now, you can issue the command “apcaccess” and it will talk to the UPS and show you some information. You should see something similar to this (and more)
# apcaccess
APC      : 001,044,1076
DATE     : Thu Nov 25 10:20:32 CET 2010
HOSTNAME : natalie
RELEASE  : 3.14.4
VERSION  : 3.14.4 (18 May 2008) debian
UPSNAME  : natalie
CABLE    : USB Cable
MODEL    : Back-UPS BR  800
UPSMODE  : Stand Alone
STARTTIME: Wed Nov 24 20:30:05 CET 2010
STATUS   : ONLINE
LINEV    : 230.0 Volts
LOADPCT  :  13.0 Percent Load Capacity
BCHARGE  : 100.0 Percent
TIMELEFT :  53.0 Minutes
I made three of then bold, as they will tell you something you need to know. Check that it got the MODEL right. Next, check that STATUS is ONLINE.  Check that LOADPCT is less than 90 (it’s good to have a buffer). Now, on the TIMELEFT it will tell you how long it is able to run on the batteries. If you need now, edit the conf file again and adjust the parameters to fit this, so that you have time to shut down the systems nicely.
Now your UPS setup is working. I know it can be hard, but try pulling the plug for 10 seconds and the connect it again.  You should see a couple of broadcasts on your server. Also, if you view the file /var/log/apcupsd.events you will see all the events that the UPS system logs.
This is a sample of my log (I also tested the shutdown process by making it shut down machines quickly after a power loss.)
Wed Nov 24 20:22:50 CET 2010  Power failure.
Wed Nov 24 20:22:56 CET 2010  Running on UPS batteries.
Wed Nov 24 20:23:57 CET 2010  Reached run time limit on batteries.
Wed Nov 24 20:23:57 CET 2010  Initiating system shutdown!
Wed Nov 24 20:23:57 CET 2010  User logins prohibited
Wed Nov 24 20:24:16 CET 2010  apcupsd exiting, signal 15
Wed Nov 24 20:24:16 CET 2010  apcupsd shutdown succeeded

Make NAS’es shutdown too!

In my case I have 2 NAS’es and I want them to shutdown too. It’s pretty easy to do that (when you figure it out).
This is what I did:
1) ssh-keygen -t rsa
2) mkdir /etc/apcupsd/keys
3) mv ~/.ssh/id_rsa /etc/apcupsd/keys
4) chmod 600 /etc/apcupsd/keys/id_rsa
5) cat ~/.ssh/id_rsa.pub
Mark and copy the public key.
Log on to your NAS as root/admin account and do “ls -la” – if a .ssh folder is already there, go to it. if not, create it. Check if there is a file called “authorized_keys” – if not, then create it and put the key from your clipholder in it. Now go back to your server and issue this command:
ssh -i /etc/apcupsd/keys/id_rsa -l <username_for_nas> <ip_for_nas> ‘ps’
When you run that, it should show you a process list without any trouble. this process list is from the NAS – this means you can run commands on the NAS via SSH remotely now. In my case the NAS runs busybox, so to shut it down I need to run “/sbin/poweroff” so this will be the full command for me to use:
ssh -i /etc/apcupsd/keys/id_rsa -l admin <ip> ‘/sbin/poweroff’
Test it by running this command and see if your NAS shuts down.
Next thing you need to do is to make apcupsd do this when it shuts down. Do this by editing the file “/etc/apcupsd/apccontrol”
Find the “doshutdown” option and simply add your command BEFORE the ${SHUTDOWN} line. This is mine:
echo “UPS ${2} initiated Shutdown Sequence” | ${WALL}
echo “Will now shutdown NAS systems before killing server” | ${WALL}
/usr/bin/ssh -l admin -i /etc/apcupsd/keys/id_rsa <NAS1_IP> ‘/sbin/poweroff’
/usr/bin/ssh -l admin -i /etc/apcupsd/keys/id_rsa <NAS2_IP> ‘/sbin/poweroff’
${SHUTDOWN} -h now “UPS ${2} initiated shutdown”
And voila! If a power outage occurs your NAS and server will now shut down safely.
Posted in Hosting, Nerdy | Comments closed

42 reasons why the iPad is better than netbooks.

Now, in the following I take into note that the iPad is not meant as a replacement to your laptop computer. It is meant as an additional device, something extra you have. Because you like nice things.

Also, the “it’s expensive” and “you need to buy” argument is used a lot of times – I see that argument as invalid. It’s not a question about money, it’s a question about whether the device is great or not.

Actually, all of this is nonsense, as the iPad should not be considered a replacement for a computer, as mentioned. The iPad is an extra device you get, something more, when you’re out and you DO NOT have the need for a computer, but would like to watch some movies, listen to music, read books, show your friends pictures.

Also, being on a flight the iPad is EXCELLENT for movies, reading and you can sit with it in a relaxed position like a piece of paper or a book.

As a response to: http://www.pcmag.com/article2/0,2817,2358590,00.asp

1 ) If you want an iPad you must know that you want quality and that you want to pay for the fact that the product is extremely well created and beautiful. If you are poor and you use the argument that the iPad is expensive, that only tells that you are  too poor to own it.

2) Beginning in november, Apple will launch iOS 4.2 for the iPad making it able to multitask.

3 ) Flash is annoying and it concumes a huge amount of CPU and memory. Also it introduces security issues.

4 ) With a photo kit an iPad does have USB. (Remember the poor argument when beginning to argument that this is pricey)

5 ) For the purpose of what you need an iPad for, you have absolutely no use for higher resolutions. Also, it scales down websites wonderfully.

6 ) If you want a bigger screen the device will be bigger and the smart size of the iPad starts to disappear.

7 ) You can get on-the-go charging kits for the iPad. (Don’t even think about it, poor guy)

8 ) Personally I have never, ever used the webcam for anything but fun and it is not something I would need in the device I use for movies and reading books.

9 ) You can buy a keyboard. The iPad is nice and compact without it with a wonderfully working on screen keyboard. (Again… )

10 ) The photo kit mentioned above you can use the USB interface from your camera or read the most commonly used card, SD. (…)

11 ) iPads have the potential of flash, taking over the world, doing your mom AND making coffee all at the same time.

12 ) The screen on a netbook is usually made from plastic that extremely easy gets scratched and ugly when exposed or just even touched. The iPad is covered with glass and made for touching. The glass on an iPad is very hard to scratch.

13 ) On a device the type of an iPad you do not need a faster processor.

14 ) On a device like an iPad you don’t need more than 64 GB space. Also, where did the “you can buy this and that but it’s too expensive” argument go here?

15 ) True story. A new version of the iPad with better specs will come when times require it. (No! you’re too poor! Remember that even Microsoft stated in their own advertisment that macs are for cool people)

16 ) On a device like the iPad you don’t need a full blown OS. In fact that’s one of the major FEATURES of it, not having the full OS. iOS is great for touch.

17 ) With an iPad you can get the apps you need through iTunes.

18 ) Square-ish? That argument is lame. I won’t even comment further on it. The iPad can rotate, period.

19 ) Wireless-N is indeed fast enough for HD video. The iPad is not a replacement for a computer, it’s an additional device.

20 ) Aaand.. the iPad can’t?  My iPad plays 720p HD without any problems.  You would NEVER need 1080p on such a small screen! Not even if it was 13 inches.

21 ) The battery argument again? It was in 7.

22 ) But! None of them even comes close to how beautiful the iPad is.

23 ) … Who wants to do that?

24 ) Again.. enough about the money! Apple stuff is for cool people who knows that good things cost good money – and those who can afford to be awesome. Don’t make money an issue, cheap ass.

25 ) Again the money issue. The connector, get it!

26 ) More advanced? It’s just flat and boring as hell. It’s very entertaining playing games on the iPad because you interact with it. You can even play scrabble and use it as your board and have your letters on the iPhone.

27 ) The iPad has built in 3G and you can readch your Plex/Nine at home with it to watch TV and stuff. You won’t need legacy ports on a iPad kind of device.

28 ) You certainly can on the iPad too. I just bought a data card from another carrier and put it in, BAM, internet on the iPad. This argument is directly wrong.

29 ) Get Apple Care.

30 ) You can do that from iPad too.

31 ) Yes you can, through apps.

32 ) Argument based on basically thin air.

33 ) What are you a hundred?  Rent it online with iTunes.

34 ) As can you for iPad.Navigon, TomTom, CoPilot. iPad runs all iPhone apps.

35 ) The iPad gives you access to internet within 1 second. Also the iPad is an EMBEDDED DEVICE, not a computer.

36 ) Get a netbook for your child, I don’t have kids, I don’t give a crap about kid friendly.Besides, with the awesome games and the fun way to interact with them the kids will be entertained for hours with the iPad.

37 ) Again, go online and stream from Plex (and eyeTV). (But mommy, data is expensive, I’m poor.. waaaaaaah.. )

38 ) Say hi to Opera

39 ) True. Java is slow anyway so why use it? Like flash it consumes a lot of system resources.

40 ) iOS 4.2 in  november. it’s okay to use upcoming and “possible” and “potential” in these arguments, as used earlier with the netbooks.

41 ) If you don’t have a computer already, an iPad is not a device you would use. It’s not a god damn replacement, it an addition.

42 ) Use files and streaming instead of physical optical media.

Posted in Random | Comments closed

Setting up OpenVPN server

Please read through the entire tutorial BEFORE doing anything. If you do not read through this you might end up with some unanswered questions on how to do something, that is actually described further down. Thanks.

Test setup: XEN based VPS. 256 slice from Slicehost running Debian Lenny 64-bit

Let’s get started!

The first thin you want to do is install OpenVPN:

apt-get update && apt-get install -y openvpn

If everything above goes as it should, OpenVPN is now installed and we will continue to configuring it.

The following 4 commands will go to the configuration directory, copy easy-rsa (which we will use), copy a sample of the configuration file and unpack the sample.

cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* .
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
gunzip server.conf.gz

Now that these files are in place it’s time to start creating keys and configuration. For this we will use the easy-rsa package supplied by OpenVPN. This package makes the creation and signing of keys much easier.

Next thing we are going to do is set the variables for easy-rsa to use. These must be set every time you want to use easy-rsa if you have been logged out!

. ./vars
source ./vars

Make sure that our directory for keys exists, has the correct settings and such. Note! If  you have any keys at this point, they will be removed!

./clean-all

Set up your Certificate Authority

./build-ca

We need a certificate and a key for the server itself, let’s build those. The second argument is the name of the server. If you choose to change this from server (there’s not really a reason to do so), then remember to change this as well in the config changes we make later on.

During the build-key-server process you will be asked for various information, you can choose to change this if you want, but for the setup to work it is not necessary. Just make sure that Common Name is server

./build-key-server server

We need to build the Diffie-Hellman parameters.

./build-dh

We are basically done with building the server now, but at this point no users will be able to log on and use the VPN. We use the build-key command (remember that vars MUST be set for this to work, if you want to create users at a later time). I will create a user called “fbh” for myself.

Again, I will be asked for some information and again I can choose whether to enter this or not.

./build-key fbh

Next thing we need to do is edit the server configuration file to know where these keys are located, use your favorite editor and open the server.conf file and find the part that holds paths to keys. Change it as following. (Note! If you change the servername from “server” above, this is where you need to change the keyname)

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key

# And a little further down

dh /etc/openvpn/keys/dh1024.pem

For now, leave all other parameters  at the default.

You are now done with a basic OpenVPN server. If the LAN you are connected to uses the range 10.8.0.0/24 currently, you should edit the server.conf file and find the line that says “server 10.8.0.0 255.255.255.0” and change it to something else, otherwise you will encounter a conflict!

Tunnel internet access through the VPN as well

With the above setup you will be connected via VPN to the network of the VPN server, however you will not be browsing the internet through the VPN server. As you might think, this configuration is not done in the client. You will need some changes to the OpenVPN server for this to work, as the server pushes configuration to the client.

Again, edit /etc/openvpn/server.conf and add the following line to it:

push “redirect-gateway def1”

Now it will set the client’s default gateway to go through the OpenVPN server upon connect – however, it will not work yet and there are multiple things to this.

At first, you might currently be using your ISP’s DNS servers, and they will probably not allow you to do recursive lookups when not connected through their network. So you need to push a set of open DNS server as well, or set up your own on the server (this tutorial does not cover that). In this tutorial we will use Level 3 Communications DNS, as they have a set of free, public DNS servers that responds quickly. Add these lines to your configuration:

push “dhcp-option DNS 4.2.2.1”
push “dhcp-option DNS 4.2.2.2”
push “dhcp-option DNS 4.2.2.3”

We’re getting closer now, but it might STILL not work. Also, you must have NAT between eth0 and tun0 enabled in iptables. You will need to know the name of your public interface to do this. In most cases it’s eth0. To enable it run these commands:

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state –state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

If you want these to be run whenever the server reboots, to make sure this works, add the 3 lines to /etc/rc.local before the “exit 0” line. This script is being run every time a multiuser level is started up on the server.

Almost there! The last thin you need is to enable forwarding, do this with:

echo 1 > /proc/sys/net/ipv4/ip_forward

And done! Restart OpenVPN and make sure that it starts up

/etc/init.d/openvpn restart

Your VPN server is now able to tunnel connections and you are able to connect to the internet through it.

When I have the time, I will be publishing a tutorial on setting up clients as well.

Posted in Random | Comments closed

Useriøs hosting!

Som du måske har bemærket (hvis du har læst mine tidligere indlæg..) så er en af mine interesser hosting. Sjovt nok, lever jeg af hosting og ud over at leve af det, så snuser jeg også rundt og ser hvad andre har at byde på.

Jeg møder mange ting rundt omkring, som jeg synes er super fede – men jeg møder også ting, som jeg virkelig synes er til grin. Der er dog én ting, som jeg synes går igen og igen. Udbyderne mangler SSL kryptering på deres kontrolpaneler og deres webmail.

Nogle vil kalde mig sikkerhedsparanoid, men det kan jeg ikke tage mig af. Hvis man først er i gang med at sniffe trafik, så er en af de letteste ting i verden at sniffe trafik der sendes i clear text.

Først, hvis du ikke helt er klar over, hvad jeg ævler om, så se min screencast der omhandler emnet:

Screencast

Hvis du ikke allerede vidste det, så ved du en lille smule mere om sikkerhed nu. Så langt så godt.

Problemet i det hele er at mange hostingvirksomheder ikke sørger for at SSL kryptere forbindelsen til f.eks. deres kontrolpanel eller deres webmail.

Set med mine øjne, så er dette meget kritisk da man jonglerer rundt med folks private data. Nogle vil så argumentere med at SMTP jo alligevel ikke er krypteret, eller at de fleste kunder alligevel uploader data via en ukrypteret FTP forbindelse.

Det er bare ikke et holdbart argument, for der er ingen grund til at gøre tingene værre end de er. Dernæst, så er risikoen for at data opsnappes på en webmail væsentligt større end den er på f.eks. FTP.  Mange mennesker kigger på deres Webmail alle mulige steder men de logger ikke på FTP og uploader ting og sager fra f.eks. en hurtig netcafe i luftnavnen.

Jeg har kigget på lidt forskellige hostingselskaber, og vil derfor her komme med en kort forklaring på hver af dem, om de benytter SSL eller ej. Bemærk! At dette kendetegner hvordan tingene ser ud d. 22/03-2010.

Inforce A/S: Hos Inforce A/S eller Webhotel.net er der ingen kryptering på kontrolpanel og webmail. Deres OWA er der kryptering på.

UnoEuro.com: Hos UnoEuro er der SSL på kontrolpanelet, men som standard på Webmail er der ingen kryptering. Man kan vælge “sikker forbindelse” – men så bruges et self-signed certifikat. Læs lidt om forskellen på self-signed og signed.

Web10: Web10 har ingen SSL kryptering på hverken webmail eller kontrolpanel.

One.com, SurfTown.dk og Gigahost.dk benytter alle 3 SSL kryptering på både webmail og kontrolpanel.

Posted in Hosting, Nerdy, Rant'n'rave | Comments closed

Maximizing Password Security

Amongst several years I have been using very complex passwords, however they could somewhat be linked to each other. I memorized around 15 different passwords with an average length of 15 chars. All of them had a complexity level which was rather high, (at least 3 of these: uppercase letters, lowercase letters, numbers, special characters, whitespaces).. So, from these I created passwords put together from them and so on.

But really, does that maximize my password security?  No, not really, because using the same password two places no matter what increases the risk of a password to be compromised. Even though both places kept the passwords in some encrypted format, there would still be 2 paths to reach my hashes. So, the only way of really solving this issue is by having a different password _everywhere_ and not use 2 equal ones anywhere. This leads to some kind of challenge. I would never, ever use a passphrase like “I am awesome for having a long password”..  So the solution would be to have a password database, containing all the different passwords used. For this I chose KeePassX – the OS wide port of KeePass.

This has a nice password generator, so I genereated a 28 character, random password containing lowercase letters, uppercase letters, numbers and special chars. Now I have memorized that password. The database is 256bit AES encrypted.

So now I do not use any password that matches one I use somewhere else – furthermore, all passwords are 15-30 chars long with maximum complexity level.. Well, at least those who are not for stupid pages which has a.. MAXIMUM complexity level. How stupid… Anyway, I’d like to share my keepass multiOS, portable package with you.

The contents are:

KeePass 2.08
The windows version – portable.

KeePassX 0.4.0 Linux 32-bit
The Linux version, compiled from source using GNU/Linux Debian Lenny.

KeePassX 0.4.0 Linux 64-bit
The Linux version, compiled from source using GNU/Linux
Ubuntu Jaunty.

KeePassX 0.4.0 Max OS X
The OS X version .app package. Works like charm.

All of them are tested on the respective platforms, and works like a charm. You can fetch the package I made right here:
http://frands.net/pub/Keepass_MultiOS.zip

Posted in Nerdy, Security | Comments closed