Posts tagged ·

Debian

·...

Raspberry Pi headless install

Comments Off

The minimal “lite” image of Debian 8 (Jessie) is an excellent choice for a headless Raspberry Pi. After downloading to the SD card, these notes from Dmytro Bobkov covers the basic initial setup, while wifi setup from the command line is explained here. More details on CLI wifi on Debian in a previous post here.

If there is no screen or keyboard available, the SD card have to be prepared before the initial boot. Mainly to make sure SSH is running, so you can log in. This discussion covers the topic. However, if things are not working at once, a few debug statements can help. E.g., add as needed in the config file (change the IP as needed to your laptop or machine):

echo "$_IP" | nc 192.168.1.100 10100

echo "ssh has started" | nc 192.168.1.100 10100

On the other end, receive the messages by:

while true; do nc -l 192.168.1.100 10100; done

Finally, you might want to add a few extra packages, based on what you want to use the device for. These might come in handy:

apt-get update
apt-get upgrade

apt-get install htop itop atop git tig tree autossh nmap rsync lynx links emacs

Comments Off

Upgrading Debian Wheezy 7 to Jessie 8

Comments Off

Upgrading from Debian 7 to 8 is reasonably straight forward, following the official instructions. These shorter summaries are also useful references.

Very briefly then, make sure you have backup.
dpkg --get-selections "*" > dpkg_selections.txt
tar zcvf upgrade_backup.tar.gz /etc /var/lib/dpkg /var/lib/apt/extended_states /etc/mysql/my.cnf /etc/fuse.conf /etc/ssh/ssh_config

Update /etc/apt/sources.list, and replace all occurrences of wheezy with jessie.
sed -i 's/wheezy/jessie/g' /etc/apt/sources.list

If VirtualBox is installed, update to the new key:
wget -q -O - http://download.virtualbox.org/virtualbox/debian/oracle_vbox_2016.asc | sudo apt-key add -

Then comes the upgrade dance, with a few prompts, warnings, questions.

apt-get update
apt-get upgrade
apt-get dist-upgrade

After the upgrade, it is recommended to purge unused packages
apt-get purge $(dpkg -l | awk '/^rc/ { print $2 }')
apt-get autoremove

It is also recommended to install the linux-image-* metapackage, e.g. for AMD CPUs
apt-get install linux-image-amd64

Finally, cross your fingers and reboot.

Comments Off

Let’s Encrypt TLS certificate setup for Apache on Debian 7

Comments Off

Through Let’s Encrypt, anybody can now easily obtain and install a free TSL (or SSL) certificate on their web site. The basic use case for a single host is very simple and straight forward to set up as seen here. For multiple virtual hosts, it is simply a case of rinse and repeat.

On older distributions, a bit more effort is required. E.g. on Debian 7 (Wheezy), the required version of the Augeas library (libaugeas0, augeas-lenses) is not available, so the edits to the Apache config files have to be managed by hand. Furthermore, for transitioning from an old HTTP based server, you need to configure the redirects for any old links which still might hard code “http” in the URL. Finally, there’s some security decisions to consider when selecting which encryption protocols and ciphers to support.

Installation and setup

Because the installer has only been packaged for newer distributions so far, a manual download is required. The initial execution of the letsencrypt-auto binary will install further dependencies.

sudo apt-get install git
git clone https://github.com/letsencrypt/letsencrypt /usr/local/letsencrypt
 
cd /usr/local/letsencrypt
./letsencrypt-auto --help

To acquire the certificates independently of the running Apache web server, first shut it down, and use the stand-alone option for letsencrypt-auto. Replace the email and domain name options with the correct values.

apache2ctl stop
 
./letsencrypt-auto certonly --standalone --email johndoe@example.com -d example.com -d www.example.com

Unless specified on the command line as above, there will be a prompt to enter a contact email, and to agree to the terms of service. Afterwards, four new files will be created:

/etc/letsencrypt/live/example.com/cert.pem
/etc/letsencrypt/live/example.com/chain.pem
/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem

If you don’t have automated regular backup of /etc, now is a good time to at least backup /etc/letsencrypt and /etc/apache2.

In the Apache config for the virtual host, add a new section (or a new file) for the TSL/SSL port 443. The important new lines in the HTTPS section use the files created above. Please note, this example is for an older Apache version, typically available on Debian 7 Wheezy. See these notes for newer versions.

# This will change when Apache is upgraded to >2.4.8
# See https://letsencrypt.readthedocs.org/en/latest/using.html#where-are-my-certificates
 
SSLEngine on
 
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

To automatically redirect links which have hard coded http, add something like this to the old port *.80 section.

#Redirrect from http to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

While editing the virtual site configuration, it can be useful to watch out for the logging format string. Typically the logging formatter “combined” is used. However, this does not indicate which protocol was used to serve the page. To show the port number used (which implies the protocol), change to “vhost_combined” instead. For example:

CustomLog ${APACHE_LOG_DIR}/example_com-access.log vhost_combined

To finish, optionally edit /etc/apache2/ports.conf, and add the following line to the SSL section. It enables multiple named virtual hosts over SSL, but will not work on old Windows XP systems. Tough luck.

<IfModule mod_ssl.c>
  NameVirtualHost *:443
  Listen 443
</IfModule>

Finally, restart Apache to activate all the changes.

apache2ctl restart

Verification and encryption ciphers

SSL Labs has an excellent and comprehensive online tool to verify your certificate setup. Fill in the domain name field there, or replace your site name in the following URL, and wait a couple of minutes for the report to generate. It will give you a detailed overview of your setup, what works, and what is recommended to change.

https://www.ssllabs.com/ssltest/analyze.html?d=example.com

Ideally, you’ll get a grade A as shown in the image below. However, a few more adjustments might be required to get there. It typically has to do with the protocols and ciphers the web server is configured to accept and use. This is of course a moving target as security and cryptography research and attacks evolve. Right now, there are two main considerations to make: All the old SSL protocol versions are broken and obsolete, so should be disabled. Secondly, there’s an attack on the RC4 cipher, but disabling that is a compromise, albeit old, between its insecurity and the “BEAST” attack. Thus, disabling RC4 now seems to be preferred.

Taking all this into account, the recommended configuration for Apache and OpenSSL as it stands excludes all SSL versions, as well as RC4 versions. This should result in a forward secrecy configuration. Again, this is a moving target, so this will have to be updated in the future.

To make these changes, edit the Apache SSL mod file /etc/apache2/mods-available/ssl.conf directly, or update the relevant virtual host site config file with the following lines.


SSLHonorCipherOrder on
 
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !ECDHE-RSA-RC4-SHA"
 
SSLProtocol all -SSLv2 -SSLv3

Restart Apache, and regenerate the SSL Labs report. Hopefully, it will give you a grade A.


 
 

Final considerations

Even with all the configuration above in place, the all-green TSL/SSL security lock icon in the browser URL bar, as seen below right, might be elusive. Instead a yellow warning like the on in the image to left might show. This could stem from legacy URLs which have hard coded the http protocol, both to the internal site and external resources like images, scripts. It’s a matter of either using relative links, excluding the protocol and host altogether, absolute site links, inferring the protocol by not specifying it, or hard coding it. Examples:

<img src="blog_pics/ssl_secure.png">
 
<img src="/blog_pics/ssl_secure.png">
 
<img src="//i.creativecommons.org/l/by-sa/3.0/88x31.png">
 
<img src="https://i.creativecommons.org/l/by-sa/3.0/88x31.png">

On a blog like this, it certainly makes sense to put in some effort to update static pages, and make sure that new articles are formatted correctly. However, going through all the hundreds of old articles might not be worth it. When they roll off the main page, the green icon will also show here.

 
 

Comments Off

Debian 7 – netinst

Comments Off

In search of a small simple GNU/Linux server setup, I started with a Debian 7 installation through a network based install – netinst. Using that image is simple, either by writing to a CD, or simply to a USB drive or memory card:
(Replace X with your flash drive, but be careful; everything will be overwritten, without any recovery option).

sudo dd if=debian-7.8.0-i386-netinst.iso.torrent of=/dev/sdX
The installation was straight forward, but it has to be hand-held since there are multiple prompts from various parts of the installation throughout. Unfortunately, the final step of writing out the GRUB configuration failed, since the install medium, the USB flash reader, was included in the GRUB device map. Removing it from /boot/grub/device.map fixed that, and a little rescue operation resolve the rest.

Once booted, there was a problem with the start-stop-daemon; for some reason, it was set to a fake mock implementation. That caused all services to not start. Swapping in with the real implementation took care of that:

mv /sbin/start-stop-daemon /sbin/start-stop-daemon.FAKE
ln -s /sbin/start-stop-daemon.REAL /sbin/start-stop-daemon

Finally, some essentials are always missing:

apt-get install emacs atop htop iftop iotop tree git tig sudo autossh iptables-persistent wpasupplicant cryptsetup smartmontools

Comments Off

Default PDF viewer in Debian

Comments Off

By some strange logic, the primary and default application for viewing PDFs in Debian is Gimp. If you want to edit the PDF, that might make sense, but that is not the most common use case. There is a bug and discussion about this, but unfortunately, in somebody’s stubborn opinion, “it is not a bug”, and was closed many years ago.

Luckily it is easy to fix. The default setting can be found in the file /usr/share/applications/mimeinfo.cache which contains this line:
application/pdf=gimp.desktop;gimp.desktop;epdfview.desktop;evince.desktop;

Notice how Gimp is listed first, while the PDF viewers ePDFViewer and Evince are last in the list. You can edit that file (as root). Or if you prefer you can override the user local setting in /home/$USER/.local/share/applications/mimeinfo.cache, and insert something like

application/pdf=epdfview.desktop;evince.desktop;

The change should take effect immediately, across all applications and browsers, unless the default is overridden there. E.g. Firefox and Chrome have their own internal PDF viewers, however the default MIME applications will be available for selection when the file is downloaded.

Comments Off

Android SDK tools on Debian Wheezy

Comments Off

After downloading the Android SDK bundle, I could not start adb and fastboot, getting somewhat bizarre error messages like:

bash: ./adb: No such file or directory

bash: ./fastboot: No such file or directory

./adb: error while loading shared libraries: libstdc++.so.6: cannot open shared object file: No such file or directory

All of those were due to missing dependencies for i386 libraries. Doda’s article on the topic solved the issue. They can be installed by:

dpkg --add-architecture i386
aptitude update
aptitude install libstdc++6:i386 libgcc1:i386 zlib1g:i386 libncurses5:i386

Comments Off