HOWTO: Fully encrypted vServer with Ubuntu 12.04

October 24th, 2012 7 comments

In this blog post I am going to demonstrate how to easily setup a virtual server at Hetzner. This setup will work for most other vServer operators as well, but some adjustments may be required. Prerequisite is that you are able to access the console of  the server while booting, as you need to be able to enter the passphrase. You also need to be able to boot into some sort of “Rescue System” for the setup. This is no in-place setup. In Hetzner’s “Robot” this is pretty easy.

One thing to consider regarding security: fully encrypting a vServer might seem… senseless, as the host operator can easily copy the whole memory of the VM while running and extract the key this way. True. There is no way around this fact. My reason for wanting a fully encrypted system is more of the way that I want to be sure that the data is encrypted on the storage system. I want to protect from being unable to ever fully wipe the persistent data from disk in case I cancel the VM, the VM gets moved to a new host, or a failed disk is sent in to the manufacturer. For me, this is a compromise I can accept. YMMV.

You can also try this HOWTO under VirtualBox with the System Rescue CD ISO images. Actually, that’s where I verified all steps are working.

So, let’s dive into the fun of the HOWTO. BEWARE! THIS TUTORIAL WILL WIPE ALL DATA ON YOUR VSERVER! I TAKE NO RESPONSIBILITY IF YOU LOSE DATA!  IT MIGHT ALSO NOT WORK FOR YOU. USE THIS AT YOUR OWN RISK!

The following steps will partition the disk, setup LVM and LUKS, install Ubuntu 12.04 and prepare the system for reboot. Most parts can be copied line-by-line. Please beware that there are some parts in this tutorial that needs to be adjusted: UUIDs of partitions, hostname, username, and most important: network setup.

Read more…

Categories: computer, sysadmin Tags: , , ,

A geek’s unified instant messaging setup

December 10th, 2011 3 comments

Today I want to present to you my unified instant messaging setup, which enables me to communicate from any of my computers and also any of my mobile devices (Android, iPhone, iPad). Goal for me was to provide a setup where I have single client per platform with a centralized history I can search if I need to. I want one – and only one – client for my communication. I only care about text instant messages, actually; I hardly ever use voice or video services when communicating online. I really like the asynchronous nature of instant messages. At the moment, I have integrated IRC, ICQ, Google-Talk/Jabber/XMPP (which could potentially also include Facebook), and Skype. The current setup also gives me push notifications to my iOS devices on messages directed at me. Today’s posting is only intended to give you a very high level overview. I will add detailed descriptions of individual setups of the individual components in later posts.

The Unified Instant Messaging Schema

Read more…

Fix two Ubuntu 10.04 window manager annoyances

January 27th, 2011 No comments

When upgrading to Ubuntu 10.04 I noticed two annoyances (which actually are just a matter of personal taste):

  • The OSX-like positioning of the close, minimize and maximize buttons on the left instead of the right of the window.
  • The fade-out (invisibility) of other windows when using Alt-Tab for tabbing through the available windows on the current desktop.

As I tend to forget and need to Google every time I encounter a newly setup 10.04 system, I now jot down the settings to change.

For changing the window buttons:

  1. Start gconf-editor.
  2. Find /apps/metacity/general/button_layout.
  3. Change its value to menu:minimize,maximize,close.

For changing the opacity of inactive windows during Alt+Tab window switching:

  1. Start gconf-editor.
  2. Find /apps/compiz/plugins/staticswitcher/screen0/options/opacity.
  3. Change it to any value you like, where 100 is fully visible and 0 is totally invisible.
Categories: computer, software Tags: , , ,

The power of git aliases

December 9th, 2010 1 comment

Based on a recent question on stackoverflow I found the power of git aliases and want so share one I invented for answering the question and after that I found very useful in everyday git use:

git config --global alias.add-commit '!git add -A && git commit'

After this, you can simply check in all new, modified, and deleted files with a simple

git add-commit -m 'My commit message'

I have aliased this command also to git ac in order to save further on typing. I never thought that this combination could be that useful, but actually I think it really is. Thanks to the questioner for bringing the idea up.

OCZ Vertex2, Linux, and ancient nForce 430 chipset

December 1st, 2010 1 comment

Today I finally received my brand-new Ocz Vertex2 OCZSSD2-2VTXE120G 120GB and eagerly wanted to install it in my 4-year-old HP workstation which currently is running Ubuntu 10.10 exclusively.

After setting up the alignment according to some tutorials I found online, I started the setup process. Shortly after starting the copy step of the installation, the whole process came to a grinding halt with filesystem errors. Looking into the kernel debug messages it seemed like SATA commands were causing errors. After checking hardware, cables and switching SATA ports, I began researching the issue and soon found that the issue might be fixed in the next firmware version of the drive. So I wanted to upgrade from 1.23 to 1.24, which could only be done in Windows…

After installing a trial of Windows 7, I finally wanted to upgrade the firmware, but the drive was not detected, but was accessible. The release notes indicated that I would need to switch to AHCI mode. After several attempts, includig a BIOS update, I realized that there was no way to do this with my old hardware, as my nForce 430 chipset simply doesn’t support it.

So my only remaining option was to simply try the kernel arguments I read to be the fix for 1.24 with the 1.23 hardware.

So, if you add the following kernel option during installation and afterwards for every boot, the disk seems to work quite well (source):

libata.force=norst

Actually, this forces the ATA driver in Linux to not issue any reset commands on the bus. I really don’t understand why this improves/fixes the problem, but it seems the device has issues when being reset on my chipset. I can also notice this that in 2 out of 3 attempts if I reboot the PC the disk is not recognized any more before I reboot again.

Despite these issues, the SSD now runs with astonishing performance with the suggested 32 head / 32 sector alignment, and a 512kB partition alignment scheme. After an initial TRIM with hdparm‘s wiper.sh I enabled -o discard for my ext4 partition and could also verify using hdparm that this results in the sectors being trimmed. Please note, that you need to manually compile and install the latest hdparm version on Ubuntu 10.10, as the included version fails with the very long free block list and doesn’t handle splitting the sectors in multiple requests. The latest version doesn’t have this issue any more.

Remaining Windows Vista/7 “rearm count”

February 19th, 2010 No comments

It is a well-known fact, that it is possible to extend the initial grace period for activating your (hopefully legitimate!) copy of Windows from 30 days to 120 days by using slmgr. This is a tool that is intended to allow the preparation of image-based installers for enterprise use by allowing to reset the initial grace period up to 3 times.

If you tend to forget the number of times you already reset the counter, you can easily check for yourself: simply run

slmgr -dlv

to get detailed licensing information, including the number of remaining re-arms and remaining grace time.

If you want to know when exactly your grace period runs out, use

slmgr -xpr

Note: This simply gives you more time, it won’t prevent you from having to buy and/or activate Windows. Re-arming is not a bug, it works as intended and is an important tool for use in corporate environments.

Categories: computer, sysadmin Tags: , , ,

Novatel Merlin U740 using only Windows 7 onboard tools

November 19th, 2009 No comments

I have lost the install CD of my Novatel Merlin U740, an older PCMCIA UMTS card. As a consequence I got no “Mobilink Connection Manager” after installing Windows 7 on my notebook. Fortunately I found this guide by Novatel Wireless which explains how to connect using only on-board tools in Windows Vista, by setting up a dial-up connection. It still works in Windows 7. The important part is to set the APN as part of the driver’s initialization string.

The telephone number you have to set is *99#, which should be provider-independent.

The following settings are for yesss.at only:
Username: web
Passwort: web

Remember to set the APN as part of the driver’s connection string in Window’s “Device Manager” as described in the PDF.

Again, for yesss.at this is: AT+CGDCONT=1,"IP","web.yesss.at"

For this to work properly, the SIM must not have a PIN set, as otherwise the SIM will be locked and the dialer cannot dial out. For me this is ok, as it is a pre-paid card which can hardly be abused if it gets stolen, but your situation might be different, so please consider the security implications. (I suspect that it should be possible to unlock the SIM card somehow using the AT+CPIN=1234 command, but I did not research how to separate several initialization strings, as it did not work immediately.)

The solution works quite well for me, even under Windows 7. Disadvantage is that there is no way to tell the signal strength and exact mode of operation (despite the color-coded status led on the Merlin U740).

tr.im to be shut down

August 10th, 2009 No comments

To emphasize my demurs against URL shortening services which I have mentioned before, here comes the prove that my thesis is correct: the URL shortening service tr.im is going to be shut down by end of this year. As Robert Scoble put it, this is a “shortcoming” of the Twitter platform, where the shutdown most likely will be felt most.

This is the first time I am aware of actual knowledge/data-loss which will occur due to the shutdown of such a service.

Update: tr.im announced that they will stay in business, due to an overwhelming response. But still, the final shutdown of such a service sooner or latter can and will happen. And even worse would be the continuation of such a service where all the URLs would be redirected somewhere else…

http://blog.tr.im/post/160697842/tr-im-resurrected

URL shortening services soon to be under siege?

June 17th, 2009 No comments

I have already written about my opinion about the problems of URL shortening back in 2005. Yesterday, Jeff Atwood pointed out other issues like commercialization. Today, another threat has come true: hackers have manipulated the URLs of shortening service cli.gs.

Given the huge amount of information hidden behind such shortened URLs, and given the popularity and number of these links, especially nowadays on Twitter, these services could see themselves being under permanent siege of hackers/crackers. Being able to manipulate hundred of thousands if not even more vastly distributed and popular URLs to point to a given site could be used for both, generating (lots of?) ad-revenue, or as a new form of DDoS-attack.

At the moment there seems to be no way around using these services (especially with services like Twitter), but in the medium/long run a solution has to be found if we don’t want to lose lots of valuable information.

Windows Vista Home/Business/Enterprise has a telnet client, too

February 19th, 2009 No comments

For some unknown reason, Microsoft decided that only the “Ultimate” version of Windows Vista ships with the telnet client installed by default. It can, however, be easily installed on all the other versions as well.

  • Open the Control Panel
  • Select “Programs”
  • Select “Turn Windows features on or off”
  • Scroll through the list, select “Telnet client”
  • Press OK
  • Wait (for surprisingly long)

That’s it, voila, the telnet client is now installed on your Windows Vista Non-Ultimate.

Categories: software, sysadmin Tags: , , ,