Server
Cable Internet – Isolate the Problem
Feb 17th
Image via Wikipedia
After rewiring my entire house the ultimate way to isolate the problem is to put the cable modem directly on the main line. Replace all splitters, and ask the cable company to drop a new main line, and you can feel confident that the problem is no longer in your house. I rewired my entire house, replaced all splitter, then called the cable company. They replaced the splitter outside, and then dropped a new main line. The problem is no longer in my house. My router is loosing its external ip address. So far the cable company said they will compensate us for one months service, if this continues more compensation is warranted.
Every time the internet goes down, this website, my other websites, and all of my email services go offline. I rely on this website to get me through the day when I am at work. What is a day of work when you can blog about things 
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=b3bdb5a1-369e-4601-a9f7-790463f4ed2b)
Remote Server Management in Local Facility – LTSP
Feb 13th
I’m using LTSP to manage a server remotely in a local facility. I setup an LTSP server on the host machine, and will place it in an air-conditioned room to preserve longevity. I configured a machine, of much lower power, to PXE boot from the server. There are several nuances to setting up an LTSP server. Once all is done you realize that it is less complicated that is can or needs to be. When things go right there is essentially three step in total. First:
sudo apt-get install ltsp-server-standalone
This installs the works. Then configured dhcp.
sudo nano /etc/ltsp/dhcpd.conf
Config the subnet to the same that you are using on your router. Clearly if your routers local ip is 192.168.0.1 your subnet would be 192.168.0.0. Then set a range. Make sure you turn off the dhcp servers in any and all routers connected to the network. You need the dhcp server on the machine to be the sole and only. Set the “next-server” option to the came local ip address of the server. Then set the rest of the options; domain, default gateway, dns…. Then reboot the server:
sudo /etc/init.d/dhcp3-server restart
Build the clients:
sudo ltsp-build-client
Thats really all there is to it. I’ve found that problems do arise, and instead of trying to fix them just purge all the installed applications and start over.
sudo apt-get remove --purge ltsp-server-standalone ltsp-server xinetd
One time I was stuck because there were two tftp inet servers, openbsd-inetd and inetd-hpa. They were conflicting. Then purge the autoremove function:
sudo apt-get --purge autoremove
Then start over installing ltsp-server-standalone. You can test your ltsp server using VirtualBox. Just like a real machine set the boot sequence to network as the first option. Now hook up a fancy monitor that can support 1920×1080 to the relatively low powered machine in the other room, and remotely manage your server from a pseudo local desktop environment.
Lock Down IP Addresses – SSH and Else
Jan 26th
If you know the IP addresses that will be connecting to your machine, lock them down. Use the hosts.allow file as follows.
sshd : localhost : allow
sshd : 192.168.3. : allow
sshd : 192.168.1. : allow
sshd : ALL : deny
Using sshd : ALL : deny and listing various allow rules blocks everything other than the allowed rules. Therefore using sshd : IP : allow you will be able to connect to the machine from that IP only and everything else will be rejected. This procedure will substantially increase the security of the server.
Server Security – Passwordless Remote Login
Jan 24th
Based on some recent experience do not ever allow password remote login. There are two things you chould apply to your ssh server. Implement a RSA key login, and implement fail2ban. Fail2ban will modify iptables (firewall) to block the ip address of offending attempts to connect. It will do so for your apache, ssh, ftp, and other servers. It is a separate program, not a wrapper, and it monitors log files for login attempts. You set the max login attempts (fails) in the jail.conf file in /etc/fail2ban. The combination of RSA keys and fail2ban will ensure a secure and accessible system, which is a must of the system is to be open to outside internet connections.
Web Based SSH Clients
Dec 25th
If you want to connect to your server in an encrypted and secure fashion, but do not want to or cannot install a binary on your local system, you can use a web based ssh client. The original software, that I have heard of, is Anyterm. It has since been replaced by Sjax Term, and subsequently Web Shell. I have played with Ajax Term a bit, but could never get everything working as I wanted. I’m going to take a second crack as Ajax Term, and then Web Shell. I would like a secure means of connecting to my server, but there is a hitch. The most secure means is to use rsa keypairs. Which means the key must be transportable on a usb drive or the like. I wonder how well Ajax Term or Web Shell function using a rsa key. Conveniently you can install ajax term directly from the Ubuntu repos. A simple:
sudo apt-get install ajaxterm
Ajax Term will be installed as a system server complete with an init.d script. In Karmic you will issue:
sudo service ajaxterm start
Configure Ajax Term in /etc/default/ajaxterm. Ajax Term does not do encryption, therefore for security you would do ssl, and connect to your server with https. Refer to the Ubuntu documentation for more information about ssl setup for Ajax Term. As per Ubuntu documentation there is also Shell in a Box. There are various choices and wants to get a secure connection to your home machine.
The main reason I recommend, and prefer rsa keypairs is to completely disable password authentication on the server. This eliminates the possibility of a brute force attach, or a ssh DOS. The server rejects are password attempts no matter what. It is a sweet configuration, and as a server administrator you can walk around with a usb drive with your rsa key to connect to the server securely.
