Tuesday, 21 February 2012

some things i do with Ubuntu

this is a little list of some of the things i like to do with a fresh install of Ubuntu. i quite often use Ubuntu in a virtual machine for things like network monitoring and partition management but also as a general sandbox environment.

the details in this post apply to version 11.10 (Oneiric Ocelot), and may or may not work with other versions. as always i offer no guarantees of the following working for you. you should be comfortable working with linux already if you want to recreate any of what i do, and i can't be held responsible for anything that might go wrong...

if you want to play around with VMs, go and download the free VMware player. it's pretty good for most people's needs. i prefer VMware workstation as it has some useful features like snapshots, and the ability to create virtual networks between VMs. (snapshots are great, once you've installed the OS and got it configured to a basic state you can take a snapshot and easily get back to that point whenever you like)

Turn off the screen lock
i will often get sidetracked when working with the VM, so turning off the screen lock etc is a must as it's annoying to have to keep entering my password to unlock when i finally come back to it.

System Settings > Personal > Screen
Turn off after: Never
Lock: Off

Make sudo usable
in Ubuntu the root account exists but logins are disabled by default. sudo (superuser do) is available to allow normal users to execute commands with root privileges.
i like to set up sudo so that i can use it without having to enter a password. this does present a security risk but it saves a bit of time if you're working with multiple terminals, or rebooting frequently when making significant system changes.

to do this open a terminal (Ctrl+Alt+T) and type
sudo visudo
it will prompt for the password. at the bottom of the file (and i do mean the very last line; read the man pages if you want the full details of how it's parsed) add a line
username ALL=(ALL) NOPASSWD: ALL
then press Ctrl+O, Return, Ctrl+X. you will be back at the terminal. now you can use sudo without a password. once you've finished making changes to the system you can always open visudo again and comment the line out until you need it again. if you have only a handful of commands that you regularly need sudo for you can also configure sudo to skip the password for specific things, check the man pages.

Install VMware tools
this enables nice features like dynamic display resolution changes, copy and paste between host and guest etc.
open-vm-tools is a project that's undergoing development so don't expect all the vmware tools features you get in, for example, a windows guest to be working out-of-the-box.
open a terminal
sudo apt-get install open-vm-tools
it will take a moment to download the required bits and pieces. once done restart Ubuntu.

Set up a basic firewall
Ubuntu has iptables installed, but not configured to actually do anything by default.

if you've been playing with iptables, it's a good idea to start by flushing any existing rules
sudo iptables -F
it is always better to start with everything closed and open what you need, rather than having an 'open' policy and then blocking things. change the default policies of the INPUT, FORWARD and OUTPUT chains to DROP.
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
the loopback interface needs two rules to function correctly
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
now create a rule to handle connections already established by the host
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
and some rules to allow basic web browsing (UDP port 53 for DNS lookups, TCP port 80 for http, TCP port 443 for https)
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
and that's a very simple firewall set up. if you are using a POP3/SMTP client for handling your emails then you might like to add some specific rules to limit traffic only to specific email servers (depends how paranoid you're feeling!)
e.g. if you were using yahoo's pop and smtp servers you could use nslookup to find the ip addresses and add rules for them
sudo iptables -A OUTPUT -p tcp --dport 110 -d 98.139.215.247/32 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 25 -d 77.238.184.40/32 -j ACCEPT
refer to the man pages if you want to do anything particularly fancy like NAT, packet marking/mangling etc.

Make your firewall persistent
once you've created your firewall, you probably want it to persist across reboots otherwise you'll be back to square one every time...
use your favourite editor (i like nano) to create a script that will save the current firewall configuration when the computer shuts down
sudo nano /etc/network/if-post-down.d/iptables.moo
now enter the following (/somewhere/accessible/ should be changed to something like /home/yourusername/iptables/ where the script will get write permissions)
#!/bin/sh
iptables-save > /somewhere/accessible/current.iptables
exit 0
save and exit. now create a script for start up
sudo nano /etc/network/if-pre-up.d/iptables.moo
enter the following
#!/bin/sh
iptables-restore < /somewhere/accessible/current.iptables
exit 0
save and exit. you now need to make the scripts executable
sudo chmod +x /etc/network/if-pre-up.d/iptables.moo
sudo chmod +x /etc/network/if-post-down.d/iptables.moo
now whatever is in the iptables at shutdown will be there on start up. in a 'production' environment it would be better to manually save a safe set of defaults to /home/username/iptables/ using iptables-save and not create the if-post-down.d script. that way if someone misconfigures the firewall inadvertently a reboot will easily restore it to a known good state.

as of Ubuntu 12.04 (and possibly earlier) this method no longer works due to the way in which Network Manager handles if-pre-up.d (it doesn't, basically).
just use iptables-persistent instead, it's less ballache.

Install Wireshark and configure it to play nicely
if you're doing stuff with iptables, chances are you've heard of Wireshark. if not, it's a great little tool to monitor network traffic. it can be installed with the following
sudo apt-get install wireshark
you will notice though that if you run it from the dash home you can't capture on any interfaces. this is because by default dumpcap needs root privileges. in a terminal issue the following command
sudo dpkg-reconfigure wireshark-common
and answer yes to the question "should non-superusers be able to capture packets?" this will create a user group called wireshark that will allow packet capturing. all that remains is to add yourself (or the user account that will be running wireshark) to the group.
sudo usermod -a -G wireshark username
now you can run wireshark and capture packets on all available interfaces. N.B. you will need to log off and back on before it will work.
running wireshark inside a VM is particularly useful because in the VM settings you can select the network to operate in bridge mode and then assign the VM its own IP address on the host NIC. this is useful for things like short-term DMZ monitoring etc.

think that'll do for now...i might write another post if i think of anything that might be useful

No comments:

Post a Comment