Adsense 1

Monday, November 02, 2009

Installing Java in Ubuntu 9.04

I was trying to install the latest java version for firefox in Ubuntu 9.04. Current sun-java version available from Jaunty archives is jre1.6u14, while the latest in java site (as of now) is jre1.6u16
Go to this link: http://java.sun.com/javase/downloads/index.jsp and downloaded latest jdk as of today it is jdk-6u16.

Open terminal and cd to the download directory.
$ chmod u+x jdk-6u16-linux-i586.bin
$ sudo mkdir /usr/java
$ sudo mv jdk-6u16-linux-i586.bin /usr/java
$ cd /usr/java
$ sudo ./jdk-6u16-linux-i586.bin
Accept the license agreement and proceed installing. This will install java in the directory /usr/java/jdk1.6.0_16/

Now we have to point the system to new installed path. Do this:
$ sudo update-alternatives --install /usr/bin/java java /usr/java/jdk1.6.0_16/jre/bin/java 2;$ sudo update-alternatives --config java 
Output will be:
There are 3 alternatives which provide `java'.

Selection Alternative
------------------------------ -----------------
+ 1 /usr/lib/jvm/java-6-sun/jre/bin/java
2 /usr/java/jre1.6.0_15/bin/java
* 3 /usr/java/jdk1.6.0_16/jre/bin/java

Press enter to keep the default[*], or type selection number:
I selected 3. Now we will have to point the new java plugin path in firefox.
$ cd /usr/lib/firefox-addons/plugins/ ; sudo ln -s /usr/java/jdk1.6.0_16/jre/plugin/i386/ns7/libjavaplugin_oji.so;$ cd /usr/lib/firefox/plugins/ ; sudo ln -s /usr/java/jdk1.6.0_16/jre/plugin/i386/ns7/libjavaplugin_oji.so
Note that firefox saw the latest plugin only after i linked it to both the directories. Then the new version started working.


Monday, September 14, 2009

Installing USB modem ZTE AC2726 in Ubuntu 9.04 Jaunty

Recently i successfully installed ZTE AC-2726 modem that came with reliance wireless broadband connection. Below are the steps:

Insert the modem in USB interface and see if that gets detected.

$ lsusb
Bus 005 Device 002: ID 19d2:fff5


I noticed in /var/log/messsages that the device is detected as usb storage. To make it detected as modem we will use usb-modeswitch package. It is a Switching tool for controlling "flip flop" USB devices.

Download usb_switch package from here and install.
$ sudo dpkg -i usb-modeswitch_1.0.2-1_i386.deb

Unplug and plugin the modem back.

$ lsusb
Bus 005 Device 004: ID 19d2:fff1
<- Notice the change in product id

$ sudo modprobe usbserial vendor=0x19d2 product=0xfff1

You can see in the logs that the modem is detected correctly now. To detect & configure the dialer config run:

$ sudo wvdialconf

Check and add the missing entries in wvdial conf as found below:
$ sudo vi /etc/wvdial.conf
Phone = #777
Password = <Your Password>
Username = <Your Login Name>
Baud = 460800
Stupid Mode = 1
New PPPD = 1
Tonline = 0


Note: Give a valid username & password in the corresponding lines above and uncomment them (Hint: remove  ";" from the beginning of the line).

$ sudo wvdial

The connection started working. Note that you can also configure gnome-ppp or kpp to connect.

Friday, September 11, 2009

Asterisk Updates

In my asterisk server i installed all updates available from the repos. After rebooting the server, all my iax2 extensions stopped working.

I also found that there is one more interface virbr0 up with ip address 192.168.122.1. I stopped dnsmasq service which was listening on this ip. Then disabled dnsmasq (chkconfig dnsmasq off). Rebooted the box. Still the interface was present.

Since there is no use of this service in my server i removed dnsmaq along with all the dependencies. Did this:
# rpm -e dnsmasq libvirt-0.3.3-14.el5_3.1.i386 NetworkManager-0.7.0-4.el5_3.i386 NetworkManager-glib-0.7.0-4.el5_3.i386 libvirt-python-0.3.3-14.el5_3.1.i386

The Virtual Interface went away but still iax2 extensions were not working. Then, found the following error in /var/log/asterisk/full
ERROR[2659] chan_iax2.c: Call rejected, CallToken Support required. If unexpected, resolve by placing address x.x.x.x in the calltokenignore list or setting user yyyy requirecalltoken=no

This is due to the security enhancement done in asterisk recently. IAX2 is now secured by call tokens which my iax2 doesn't support still. So i went ahead disabling this feature for now:

vi /etc/asterisk/iax.conf
Added calltokenoptional = 0.0.0.0/0.0.0.0 to the end. Then did: /usr/sbin/amportal restart

All iax2 extensions started working again. May be i should start looking for upgrading my clients to support call tokens for improved security.

References:
http://www.venturevoip.com/allnews.php?count=99999
http://downloads.asterisk.org/pub/security/AST-2009-006.html
Details are available in this pdf: http://svn.digium.com/svn/asterisk/branches/1.4/doc/IAX2-security.pdf


Thursday, May 07, 2009

Reports work in AsteriskNow 1.5

I suppose you have already installed AsteriskNow 1.5 and you would have found that reports don't work out of the box. It always says "No data". Apparently the system is not logging the calls and we have to enable this with some additional configuration. Below are the steps for that:

Login to your asterisk server as root and type yum install asterisk-addons-mysql. Select Y when it asks for installation. Once this is done you can see that all calls that go through your server are tracked and reported. But the Admin web interface displays the following error: reporting an error "Asterisk Manager Connection Failure" (If you don't get that error then below step is not required).

To fix the error go to web interface, Choose Administrators under Basic section. Select admin user and give the password (same as what you have in amportal.conf and manager.conf files). Apply changes. That's it.

After that the system will starts tracking all the calls getting through it.

Monday, April 06, 2009

AsteriskNow 1.5 + installation and configuartion

AsteriskNow 1.5 was recently released. I already had a box with 1.0.2 version and thought of giving the new version a try. Downloaded the ISO from the site and burned it to a CD. The new version is built on CentOS 5.3. I installed the new version in the same system overwriting 1.0.2. Note that the installation did not detect the old version nor did it give me any option for upgrade. Since my server was not in production i went ahead removing all the partitions and reinstalled the new version. If you have a production box backup the configuration files or install the new version in a test system and then copy the existing setup/accounts. You have been warned.

I installed AsteriskNow with the default partitions schema ( it creates all partitions under a single LVM). Once installation is complete, remove the CD and click reboot. After the OS boots it asks to configure the following:

Authentication, Firewall, Network, System Services

Authentication - Configure any extra authentication such as ldap.
Firewall - You can enable firewall (remember to allow all required ports like sip, iax & zap) if needed.
Network - Configure you network interfaces. This config sets the IP address of all interfaces in the system. Note that eth0 alone is enabled by default. Other interfaces must be enabled manually(Edit /etc/sysconfig/network-interfaces/ifcfg-ethx and set ONBOOT=yes).
System Services - Disabled any unwanted services.

After the above is done exit the wizard to login to the box. You will also have to restart the network service to enable all interfaces after login to the system as root. Immediately after the first login i ran a update

# yum update.

This installed a new version of kernel(2.6.18-128.1.6.el5), asterisk and dahdi modules. So i rebooted the box.(Default kernel is 2.6.18-128.1.1.el5).

After the system reboots, open the web interface in your favourite browser: http://<your-asterisk-server-ip>. When you click the FreePBX Administration link it asks you to enter the password. Asterisk 1.5 by default has two administrator user accounts with default password as specified below.
Username admin, Password - admin
Username freepbx, Password - fpbx

We will now change the default password of both admin accounts and secure the system. First let us change the admin user's password. In the web interface select Administrators tab in the Basic section. Click the admin user (in the top right) and give the new password of your choice. We are done.

Note: I did the following changes from root login in the asterisk box. The web interface prompts you to reload the config after every change you do. You can reload the config after all the changes are done.

To change freepbx user's password you have to change the entries in two files (we will backup the original files) and also change the mysql password.
# cd /etc/
# cp amportal.conf amportal.conf.orig
# vi amportal.conf
AMPDBPASS=<new password>

# cd /etc/asterisk
# cp cdr_mysql.conf cdr_mysql.conf.orig
# vi cdr_mysql.conf
password=<new password>
Now we will change the password for mysql:
# mysql -p  (Just press enter in the password Prompt)
mysql > SET PASSWORD FOR freepbx@localhost=PASSWORD('new password');
The web interface reports the following errors at this point (Yes, these errors are there in the fresh installation itself).

Notice Memory Limit Changed - To fix this edit /etc/php.ini and change memory_limit=100M. (You have to restart httpd after this).

Default Asterisk Manager Password Used:

You have to change this in two files
# cd /etc/
# vi amportal.conf
AMPMGRPASS=<new password>

# cd /etc/asterisk
# cp manager.conf manager.conf.orig
# vi manager.conf
secret = <new password> (Must be same as what you gave for AMPMGRPASS in amportal.conf).

No email address for online update checks - Go to General Settings Tab under Basic and give an email address in the Update Email: text box. (I have given my email id here).

Could not reload FOP server - For this we will first install the newest FOP version and then setup httpd to run as asterisk user (By default httpd runs as apache user).
# cd /root
# wget http://www.asternic.org/files/op_panel-0.29.tar.gz
# cd /var/www/html/panel
# cp op_server.pl op_server.pl.orig
# cp operator_panel.swf operator_panel.swf.orig
# tar zxfv /root/op_panel-0.29.tar.gz
# cp op_panel-0.29/flash/operator_panel.swf .
# cp op_panel-0.29/op_server.pl .
# cd /var/lib/asterisk/bin/
# ./retrieve_conf

# cd /etc/httpd/conf
# cp httpd.conf httpd.conf.orig
# vi httpd.conf
Find the line User apache and change it to User asterisk. Save the file and exit.
# service httpd restart

After this click on Apply Configuration Changes in the web interface. Then the webinterface reports about module upgrade. Goto Module admin tab and click Check for upgrade online. Click Upgrade all and then click Process. Press Confirm. All modules will upgrade automatically.

Now there won't be any errors or other warnings in the web interaface. You can create extensions, inbound/outbound settings as required.

I found fixes from the following links:
http://www.freepbx.org/forum/freepbx/users/freepbx-panel-flashing-red-and-green
http://www.asternic.org/
http://www.freepbx.org/support/documentation/faq/changing-the-asterisk-manager-password

Wednesday, April 01, 2009

Selectively relay emails using postfix

Several machines in my internal network run automated jobs and send out emails. All emails were getting delivered without problems and one fine day my public IP got listed in RBLs and the mail servers, using those RBLs, stopped accepting mails from mine.

I have now set my main network router to restrict outgoing port 25 so that my public ip doesn't get black listed again. This means Internal machines cannot send mails to any of the domains outside my network. I needed a mechanism to route all my emails through my external mail server which has a proper mx record. My external email server, that is outside my network, allows users to relay emails only after successful auth on port 465 (SSL).  I configured postfix for this.

Note that since Postfix does not deliver mails via port 465 i used stunnel for smtps connection between my Postfix box, acting as smtps client here, and the external mail server.

Let us first start with installing postfix. We will also see how to route emails from sendmail through postfix.

Note: In the below config example.com is the local domain of postfix box and example1.com is the external domain.

# yum install postfix

We will first configure stunnel to forward all connections to the external mail server.
 # vi /etc/stunnel/stunnel.conf
client = yes
[rev-smtps]
accept = 127.0.0.1:2525
connect = <externalmailserver>:465
The above configuration makes stunnel to listen on localhost's port 2525 and forward everything from that port to mail server's 465. Certificates are accepted automatically.

Let us start stunnel.

# stunnel /etc/stunnel/stunnel.conf (You can put this line in /etc/rc.local so that the service starts automatically after the machine is reboots).

Now try connecting to the port '2525' with
# telnet localhost 2525

You will see the greeting from the remote SMTP server. Now we will configure postfix to authenticate with the remote email server and route all such connections through stunnel.
 # vi /etc/postfix/main.cf
smtp_sasl_auth_enable = yes  # Enables auth through ssl
smtp_sasl_security_options=
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd # specifies the password file
transport_maps = hash:/etc/postfix/transport # this will tell postfix to selectively forward or relay emails.
relay_domains = $mydestination, example1.com # list of all domains the server will accept to deliver email for.
inet_interfaces = $myhostname, localhost # Interfaces in which postfix listens on
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, example.com # Local delivery domains
home_mailbox = Mailbox
Save the file.

We can configure different email servers for each domain with postfix's transport file.
# vi /etc/postfix/transport
example1.com smtp:127.0.0.1:2525
any-other-domain.com smtp:127.0.0.1:2525 # You can mention any other domains here if your external email allows relaying mails.
Above config will forward all mails destined to example1.com and any-other-domain.com through the stunnel server which will inturn connect us to the external email server.
# vi /etc/postfix/sasl_passwd
[127.0.0.1]:2525 username@example1.com:password
Note that you can give only one username:password combination for one email server (127.0.0.1:2525 in this case).

Save this file.

Create maps so that postfix reads the new configuration.
# postmap /etc/postfix/sasl_passwd
# postmap /etc/postfix/transport

In all my Internal servers i have sendmail. Now i have to tell sendmail to route emails through the postfix box. I did this:
# vi /etc/mail/mailtertable
example.com smtp:[x.x.x.x] # substitute the ip address of your postfix server instead of x.x.x.x
example1.com smtp:[x.x.x.x] # substitute the ip address of your postfix server instead of x.x.x.x
any-other-domain.com smtp:[x.x.x.x] # substitute the ip address of your postfix server instead of x.x.x.x
You will also have to add mx entries for example.com in your DNS.

With the above config, this is what would happen:
1. Any mail sent from internal servers (incl the postfix server itself) to user@example.com will be delivered to postfix's corresponding user mailbox.
2. Any mail sent from internal servers (incl the postfix server itself) to user@example1.com (or any-other-domain.com) will be forwarded to the external mail server's 465 port after authenticating as user@exampe1.com user.
3. Any mail from poxfix box to user@localhost or user@hostname-of-the-postfix-box will be delivered locally.

Note that any mail sent to other domains through this postfix server will be rejected.

Sunday, March 22, 2009

Tomcat Failover Setup with Apache2+modjk

Tomcat works fairly well under heavy loads. For critical services we will need some type of backup/failover mechanism. This tutorial is for those who want to configure apache to failover between two tomcat instances. When the first tomcat service fails, apache-httpd automatically routes the requests to second tomcat.

This tutorial shows how to configure failover load balancing between two tomcat instances in the same server (i have also shown how to do this for tomcat instances in two different servers). For this i am assuming you know how to install multiple tomcat instances in the same machine. This is only slightly different from load balancing between two tomcat instances as you see below in the sample workers.properties file.


#
# workers.properties
#
# Below Entry Specifies the load balance factor when used with a load balancing worker.
# Note: ----> lbfactor must be > 0,  Low lbfactor means less work done by the worker.
# worker.tomcat1.lbfactor=100

# In Unix, we use forward slashes:
ps=/

# list the workers by name

# Workers that are member of lb should not be in the list.
worker.list = failover

# ------------------------
# Tomcat1 Primary 
# ------------------------
worker.tomcat1.port=8009        # You can specify your tomcat instance's ajp port here
worker.tomcat1.host=localhost # Specify any hostname/IP here if tomcat is running in a remote server
worker.tomcat1.type=ajp13
worker.tomcat1.lbfactor=1
worker.tomcat1.connection_pool_timeout=600
worker.tomcat1.socket_timeout=600
worker.tomcat1.redirect=tomcat2

# ------------------------
# Tomcat2 Failover
# ------------------------
worker.tomcat2.port=9009        # You can specify your tomcat instance's ajp port here
worker.tomcat2.host=localhost # Specify any hostname/IP here if tomcat is running in a remote server
worker.tomcat2.type=ajp13
worker.tomcat2.lbfactor=1
worker.tomcat2.connection_pool_timeout=600
worker.tomcat2.socket_timeout=600
worker.tomcat2.activation=disabled # Requests are sent to the disabled worker only if first worker fails

# ------------------------
# Failover worker
# ------------------------
#
# The loadbalancer (type lb) worker performs weighted round-robin
# load balancing with sticky sessions.
# Note:
# ----> If a worker dies, the load balancer will check its state
# once in a while. Until then all work is redirected to peer
# worker.
worker.failover.type=lb
worker.failover.balance_workers=tomcat1,tomcat2
worker.failover.sticky_session=False
worker.failover.sticky_session_force=False

# END workers.properties
 

Load Balancing tomcat with Apache and mod jk

Tomcat works fairly under heavy loads. But many a times we would like to distribute the requests to more than one server to minimize response time and there by improving the user experience. This tutorial shows how to configure load balancing (distribute the load) between two tomcat instances in the same system (i have also shown how to do this for tomcat instances in two different servers). For this i am assuming you know how to install multiple tomcat instances in the same machine and also know how to connect apache with tomcat using mod_jk.

All we will do here is to add a new worker to the worker.properties file we already saw in the previous tutorials with Apache httpd 2.x, tomcat 6.x and tomcat-connector 1.2.27.

Below is the content of workers.properties file.

#
#workers.properties
#
# Below Entry Specifies the load balance factor when used with a load balancing worker.
# Note: ----> lbfactor must be > 0, Low lbfactor means less work done by the worker.
# worker.tomcat1.lbfactor=100 

# In Unix, we use forward slashes:
ps=/

# list the workers by name

# Workers that are member of lb should not be in the list.
worker.list = loadbalancer  

# ------------------------
# First worker
# ------------------------
worker.tomcat1.port=8009 # Give the ajp port of the first tomcat instance here
worker.tomcat1.host=localhost # You can mention any other hostname or IP here
worker.tomcat1.type=ajp13
worker.tomcat1.lbfactor=100
worker.tomcat1.connection_pool_timeout=600
worker.tomcat1.socket_timeout=600
worker.tomcat1.recovery_options=16

# ------------------------
# Second worker
# ------------------------
worker.tomcat2.port=9009 # Give the ajp port of the first tomcat instance here
worker.tomcat2.host=localhost # You can mention any other hostname or IP here
worker.tomcat2.type=ajp13
worker.tomcat2.lbfactor=100
worker.tomcat2.connection_pool_timeout=600
worker.tomcat2.socket_timeout=600
worker.tomcat2.recovery_options=16

# ------------------------
# Load Balancer worker
# ------------------------
#
# The loadbalancer (type lb) worker performs weighted round-robin
# load balancing with sticky sessions.
# Note:
# ----> If a worker dies, the load balancer will check its state
#once in a while. Until then all work is redirected to peer
# worker.
worker.loadbalancer.type=lb
worker.loadbalancer.balance_workers=tomcat1, tomcat2
worker.loadbalancer.sticky_session=False
worker.loadbalancer.sticky_session_force=False

# END workers.properties

Note: You can have as many tomcat instances(workers) as you want in the same box as long as your box can withstand the load.

Monday, January 12, 2009

Ftps with apache keys

FTPS (ftp with SSL) is different from Sftp, in that the later is a mostly part of ssh service. All permissions that a user has through SSH, like viewing files under other directories like /etc, will also be available through sftp. Using sftp one can download a copy of the /etc/passwd file. To safeguard this you have to enable chroot for sftp users and they will be restricted to their home directory. I found the configuration of chrooted sftp difficult. Since i had a ftp server running in the same box, with chrooted users, it made lot of sense to me to use ftps. I just had to add certificates' location and rest of the configuration was there after all.

In my other post i wrote about using Apache-tomcat SSL keys in Apache-httpd server. This post explains how to use apache-httpd SSL keys in vsftpd.

I assume that you have a working copy of vsftpd. If not please install and configure vsftpd as per your requirement. Here is what you have to do to enable ftps (ftp through SSL).

Store all your apache SSL keys in a location accessible to vsftpd.  I kept them under /root/vsftpd_keys/. There will be minimum two files (private and public key). In my case i had 3 private key (exported.key), public key (mydomain.com.crt) and two intermediate keys (cross_intermediate.crt, gd_intermediate.crt).

First we have to combine public and intermediate keys into one file:
# cd /root/vsftpd_keys/
# cat mydomain.com.crt cross_intermediate.crt intermediate.crt > vsftpd_domain_inter_comb3.crt

Note: 1. You have to concatenate the files in the same order specified above.
          2. It is fine to join just the domain & intermediate certs if your certificate chain doesn't need/have cross_intermediate.

Edit the vsftpd.conf file (Usually /etc/vsftpd/vsftpd.conf) and add the following to the end of the file:
userlist_enable=YES
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/root/vsftpd_keys/vsftpd_domain_inter_comb3.crt
rsa_private_key_file=/root/vsftpd_keys/exported.key
pasv_enable=YES
pasv_address= <your ip here> (Note: When the system is behind NAT firewall you have to give the firewall's NATed IP here).
pasv_min_port=1500
pasv_max_port=1505

The above configuration requires incoming ports 1500 to 1505 to be open in the firewall, if you have one.

Wednesday, January 07, 2009

Exporting tomcat keys to Apache httpd

Apache Tomcat SSL keys created with keytool are, by default, in der format. These keys cannot be used in Apache httpd since httpd, be default, expects the keys in pem(X509) format. Using the below steps you can export the tomcat's keys to apache httpd format and use it for apache.

I assume that you already have a working copy of tomcat with SSL. You need a copy of the tomcat's keystore file and the keystore password.

Let us start....

First copy the existing tomcat's keystore file to a new directory so that we don't break anything that is working.

# mkdir /root/SSL_export/
# cp <path/to/tomcat/keystore/file> /root/SSL_export/tomcat.keystore
# cd /root/SSL_export/
# keytool -list -keystore tomcat.keystore
Enter keystore password: 

The above command will print all the keys in the keystore.

Now we will export the key in DER format
# keytool -export -alias tomcat -keystore tomcat.keystore -file exported-der.crt
Enter keystore password: 
Output will be: Certificate stored in file

The certificate will be stored in exported-der.crt

Verify the certificate with this command:
# openssl x509 -noout -text -in exported-der.crt -inform der
Output will be: The whole certificate saying - who issued it  and other info like your company name etc.

Now Convert the key to PEM format so that apache can understand it:
# openssl x509 -out exported-pem.crt -outform pem -in exported-der.crt -inform der

The exported key will be in the file exported-pem.crt.

We have exported the public key and now are going to export the private key.

Download these files:
# wget  http://richfreedman.googlepages.com/ExportPrivateKey.java
# wget http://www.source-code.biz/snippets/java/Base64Coder.java.txt
# mv Base64Coder.java.txt Base64Coder.java
# javac ExportPrivateKey.java Base64Coder.java

Below command will save the exported private key in the file it is redirected to.
# java ExportPrivateKey tomcat.keystore tomcat G10BalPass > exported-pkcs8.key

We have to change it to RSA format so that apache can recognise it.
# openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key

Private key is now exported to the file exported.key.
Download the intermediate certificate from your certificate authority and keep it in the same location.

Now we should configure apache accordingly:
# cd /etc/httpd/conf.d/
# cp ssl.conf ssl.conf.orig
# vi ssl.conf (Change the following line only after commenting the old lines):
SSLCertificateFile /root/SSL_export/exported-pem.crt
SSLCertificateKeyFile /root/SSL_export/exported.key
SSLCertificateChainFile /root/SSL_export/<intermediate.crt>

Restart apache. You must be able to browse https://yourdomain.com/