Bastille is an open-source system for automating deployment and management of containerized applications on FreeBSD.

Bastille automates deployment and management of containers using a container technology *old enough to buy you a drink! We’ve taken automation concepts learned from leading config management contenders and combined them with the ORIGINAL container technology. FreeBSD introduced containers in April 1999, pre-dating every other container technology available. Imagine, a reliable container technology that has had two decades to work out bugs. Talk about production ready! This talk will outline design features and demonstrate secure container automation in the cloud and on the Raspberry Pi.

* Bastille uses FreeBSD Jails as the container platform.

To learn more about lightweight containers on FreeBSD visit BastilleBSD.

Enable denyhosts synchronization mode (denyhosts logo)

I recently deployed a new server to host this and my other websites. Because this is a public facing server, part of this deployment includes securing the network. To secure SSH I generally limit the users that are allowed to login to the system using AllowUsers directive, disallow root login using PermitRootLogin no and often change the listening port. In addition to all this I also usually deploy the denyhosts service, which watches for brute-force attempts and blocks connections from those IPs. With this last deployment I learned about a new (to me) feature of denyhosts called Synchronization Mode. This setting allows your denyhosts installation to send and/or receive IPs blocked in brute-force attempts. This means your denyhosts installation can benefit from the shared blocklists of other hosts. In this tutorial I’ll outline the few steps needed to enable denyhosts Synchronization Mode.

Install denyhosts:

First, if you don’t yet have denyhosts installed, it can be added by installing the denyhosts package:

sudo apt-get install denyhosts

From the denyhosts FAQ:

DenyHosts v2.0 and later introduces synchronization mode which allows DenyHosts daemons the ability to transmit denied host data to a central remote server (hosted by denyhosts.net). Additionally, DenyHosts daemons can also receive data that other DenyHosts daemons have sent to the central server.

This feature is intended to provide the ability to proactively deny ip addresses that have attacked other users of DenyHosts. That is, each DenyHosts 2.0 (or later) user can benefit from other users of Denyhosts. Similarly each DenyHosts user can benefit other DenyHosts users.

Enable denyhosts synchronization mode:

By default this option is disabled. Enable it by un-commenting the following in the config file, /etc/denyhosts.conf:

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

Optional Settings:

Denyhosts Synchronization Mode is configurable. To only provide data to the collective toggle the SYNC_DOWNLOAD option from yes to no as seen here:

SYNC_DOWNLOAD = no

On the flip side, to only receive data you can toggle the SYNC_UPLOAD option from yes to no as seen below:

SYNC_UPLOAD = no

Restart denyhosts:

Once you’ve made these changes you’ll need to restart your denyhosts service:

service denyhosts restart

You can tail the denyhosts log to see that you are receiving updated blocklists. By default these lists are shared each hour.

Run denyhosts inside ssh enabled containers with BastilleBSD: Secure container automation.

Ubuntu Server allows you to activate automatic updates during the initial installation process. This setting configures your system to automatically download and install security updates. This system is configurable and this tutorial will outline how to enable it if you hadn’t previously, disable it if you no longer want to use it, and select the repositories from which you want to receive updates.

To enable automatic updates on your system you need to ensure you have the unattended-upgrades package installed. This can be done using the following command:

sudo apt-get install unattended-upgrades

This will install a config file that you can tweak found at /etc/apt/apt.conf.d/50unattended-upgrades. This file allows you to configure the repositories you want to receive updates from, packages you want to blacklist from automatic updating, and even an email address where you’d like to be notified of updates.

Configure Automatic Updates

Using your favorite editor, open /etc/apt/apt.conf.d/50unattended-upgrades and update the first section Allowed-Origins as seen in the example below:

// Automatically upgrade packages from these (origin:archive) paris
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
//  "${distro_id}:${distro_codename}-updates";
//  "${distro_id}:${distro_codename}-proposed";
//  "${distro_id}:${distro_codename}-backports";
};


If you’d like to receive updates from the updates, proposed or backports repositories, simply uncomment those lines and save.

The Package-Blocklist section is just below. If you have any packages that you do NOT want automatically updated, list them here.

// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
//    "vim";
//    "libc6";
//    "libc6-dev";
//    "libc6-i686";
};


There are quite a few more options in this file. They are well documented, so I’ll leave it to you to determine if the options are right for you.

Enable / Disable Automatic Updates

To enable (or disable) the automatic updates you’ll finally need to edit the /etc/apt/apt.conf.d/10periodic file and make it look like the example here:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";


Finally, to disable automatic updates change the “1”s in the file above to “0”.

Have you ever found yourself behind a restrictive firewall that only allows outbound http(s) traffic, but you need to SSH out? Perhaps you’ve tried running SSH on port 443 (https) but those connections have been denied as well. In this post I’ll outline how to configure stunnel on an SSH server to allow encrypted SSH connections over port 443 (https).

This configuration is done in two parts. The first half is done on the remote SSH server. The second half is done on the local machine. In this case I’m running Ubuntu Server and Ubuntu Desktop for the client.

Server Side Instructions:

First off we’ll need to install the stunnel package:

sudo apt-get install stunnel4

Once the package is installed we’ll need to configure stunnel with an SSL certificate and a config file. First, the SSL certificate:

openssl genrsa 1024 > stunnel.key
openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt
cat stunnel.crt stunnel.key > stunnel.pem
sudo mv stunnel.pem /etc/stunnel/

Configure stunnel to tunnel 443 (https) to 22 (ssh):

By default stunnel doesn’t provide any config files. We’ll create a simple config file to meet the needs of using SSH over SSL. Create a new file, /etc/stunnel/stunnel.conf and copy in the contents below:

pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem


[ssh]
accept = public_ip:443
connect = 127.0.0.1:22

The above configuration tells stunnel where to find the certificate we generated and where to accept and forward connections. In this case stunnel will listen on the public_ip on port 443 (https) and redirect connections there back to localhost on 22 (ssh).

In order to start the stunnel service we’ll need to activate it in /etc/default/stunnel4. Change the ENABLED line from 0 to 1.

Finally, we can start the service and move on to the client configuration:

sudo service stunnel4 start

You can verify that stunnel is now listening by using the netstat command:

netstat -natp | grep :443

Client Side Instructions:

The rest of these instructions are done on the local machine.

As was done on the server, we’ll need to install the stunnel package:

sudo apt-get install stunnel4

The client configuration also needs the same SSL certificate that we generated above. copy/paste or otherwise duplicate the .pem file we generated in the Server Side Instructions and save it to the same location, /etc/stunnel/stunnel.pem.

We’ll need to create a similar configuration file, only this time we’ll change the accept and connect sections. Use the example below to populate the /etc/stunnel/stunnel.conf on your client.

pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem

[ssh]
accept = 127.0.0.1:2200
connect = remote_ip:443

With the config file and certificate in place we’re ready to enable stunnel and start the service. Enable the service (as above) in the /etc/default/stunnel4 and then start the service.

sudo service stunnel4 start

Make the connection

With the stunnel service now running on both the server and the client we’re ready to make the secure connection. Now when you connect to your local machine on port 2200 it will make a connection to the remote IP on port 443, create a secure SSL connection, and connect to port 22 on the other end. Your encrypted SSH connections are now wrapped in an encrypted SSL connection using port 443.

ssh localhost -p 2200

Conclusion

stunnel can be used to encrypt a wide range of services. In this case creating an SSL connection over the standard https port allows you to SSH out even when the standard SSH port is blocked. This configuration will become part of my standard setup on my SSH servers. You never know when you’ll find yourself in a situation where you’ll need this kind of access!

Instant Ubuntu

Instant Ubuntu – Overview

• Download and burn the free Ubuntu installer DVD
• Connect with friends and family online using popular social media platforms, email, and chat
• Use the Ubuntu Software Center and install new applications
• Explore the included multimedia applications, and play music and watch videos
• Set up automatic backups stored securely in the Ubuntu One cloud
• Be productive at work or school with the LibreOffice productivity suite
• Install up-to-date drivers to support cutting edge video and network hardware
• Join a worldwide community of open source enthusiasts

How to Enter

All you need to do to enter is head on over to the Instant Ubuntu page at the Packt Publishing website, look through the product description and then leave a comment here to let us know what you find most interesting about the book. It’s that simple. We’ll then choose winners from the comments on this page and they’ll receive a free copy of the eBook!

Contest ends on 2013/11/05, so act quickly! Winners will be contacted via email, so be sure to use a valid email address with your comment!

Ubuntu kernel version

The Linux kernel is a core component of every Ubuntu system. It is primarily responsible for managing the system hardware. Having the ability to check what version you are running can be beneficial. From time to time there are vulnerabilities that affect specific kernel versions, and being able to verify whether or not you are affected can be helpful. Certain features and hardware support are tied to certain kernel versions as well. This post will outline how to discover your Ubuntu kernel version in two easy steps.

Discovering your Ubuntu kernel version can be done in just a few quick steps. I’ll outline these steps below.

1. Open a Terminal window (Dash | search “Terminal” | hit Enter)
2. Type the following command:

uname -r

That’s it! The uname command can report information about the currently running kernel, including version, system hostname, system architecture and more. For more information see man uname.

Instant Ubuntu

I’m very happy to announce the availability of my new book, “Instant Ubuntu“! I spent most of the summer working on this and I’m very happy to finally see it published. This book is written for those brand-new to Ubuntu. The book includes step-by-step installation instructions, a tour of the Unity desktop and an outline of the top features and applications. My hope is that it will be a useful tool for those making the switch from Windows.

Instant Ubuntu is your complete guide to making the switch to Ubuntu.

What you will learn from this book

• Download and burn the free Ubuntu installer DVD
• Connect with friends and family online using popular social media platforms, email, and chat
• Use the Ubuntu Software Center and install new applications
• Explore the included multimedia applications, and play music and watch videos
• Set up automatic backups stored securely in the Ubuntu One cloud
• Be productive at work or school with the LibreOffice productivity suite
• Install up-to-date drivers to support cutting edge video and network hardware
• Join a worldwide community of open source enthusiasts

If you haven’t heard of Salt yet, I’d highly recommend checking out the 30 second summary and consider using Salt to manage your systems.

System Settings > Appearance > Behavior

Appearance Settings

To customize the behavior of your Unity Launcher, navigate your way to the System Settings application and select “Appearance“. From there select the “Behavior” tab, and toggle the button on the right for the option “Auto-hide the Launcher“. You’re then able to customize the reveal location and reveal sensitivity.

To customize the reveal location you’re able to decide between the left-side of the screen or the top-left corner of the screen. I prefer the left-side personally. I’ve also left the reveal sensitivity at the default, but you may prefer to tune that to your preference.

You can always return the behavior to the default settings by selecting the “Restore Default Behavior” button.

SaltStack

As a system administrator I’m always on the lookout for new systems and tools to make my life easier. As the saying goes, “a good admin is a lazy admin.” Any day I can find a new tool to improve the efficiency in which I’m able to manage my machines is a good day. To date, my favorite tool for this is Salt Stack. Remote execution. Configuration management. Easy syntax. Salt Stack is a great tool for managing any number of machines. In this post I wanted to outline how to install Salt Stack on Ubuntu LTS.

Installation

The latest Salt Stack packages are available in a PPA. The steps below demonstrate how to add the PPA and install the Salt Stack packages.

sudo apt-get install python-software-properties
sudo add-apt-repository -y ppa:saltstack/salt

Once the repository has been configured you’ll need to refresh your package cache.

sudo apt-get update

Now you should be ready to install the Salt Stack packages. Salt Stack is broken up into three different packages: salt-master, salt-minion and salt-syndic.

Salt Master

sudo apt-get install salt-master

Salt Minion

sudo apt-get install salt-minion

Salt Syndic

sudo apt-get install salt-syndic

It’s likely that you’ll want one Salt Master and a number of Salt Minions. Salt Syndics are for slightly more advanced configurations.

For more information on using Salt Stack, you might be interested in following the Into The Salt Mine blog.