Behind the Eyes

Tag: Canonical

  • Growing Ubuntu LVM After Install

    Hello everyone. I hope you have all been well.

    I have a new blog entry on something I just noticed today.

    So I typically don’t use LVM in my Linux Virtual Machines, mainly because I have had some issues in the past trying to migrate VM’s from one hypervisor type to another, for example, VMware to KVM or vice versa. I have found that if I use LVM, I have mapping issues and it takes some work to get the VM’s working again after converting the raw disk image from vmdk to qcow2 or vice versa.

    However, since I don’t plan on doing that anymore (I’m sticking with KVM/Qemu for the time being) I have looked at using LVM again since I like how easy it is to grow the volume if I have to in the future. While growing a disk image is fairly easy, trying to grow a /dev/vda or /dev/sda is a little cumbersome, usually requiring me to boot my VM with a tool like PMagic or even the Ubuntu install media and using gparted to manipulate the size and then rebooting back into the VM after successfully growing it.

    With LVM, this is much simpler. 3 commands and I’m done, and don’t need a reboot. Those commands:

    • pvdisplay
    • lvextend
    • resize2fs

    Now, One thing I have noticed after a fresh install of Ubuntu Server 22.04.2, using LVM, I don’t get all my hard drive partition used. I noticed this after I installed, I ran df -h and noticed that my / folder was at 32%. I built the VM with a 50G hard drive, yet df was only seeing 23GB. I then ran

    sudo pvdisplay

    Sure enough, the device was 46GB in size. I then ran

    sudo lvextend -l +100%FREE /dev/mapper/ubuntu--vg-ubuntu--lv

    This command extended my partition out to the remaining space. Next, I grew the file system to use the new space:

    sudo resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv

    I then ran df -h again, and low and behold, my / folder is now saying 46GB and 16% used instead of 32%.

    I hope this helps anyone else!

  • Using UFW to secure a server

    Using UFW to secure a server

    Hello Everyone! Hope you’re doing well!

    So for the last few weeks, I have been dealing with a DoS attack happening against me. After spending a couple days with Comcast Network Engineers we finally figured out that my mail server was being attacked. Once we disabled the NIC on the server, Internet service would start up immediately and everything appeared to be working properly. Looking at the auth logs, I noticed that port 80 and port 22 were getting bombarded by the DoS attacks.

    Since the Comcast gateway has a poor firewall, I looked in to getting an upgraded PAN to meet my demand, but unfortunatly, that was going to set me back about $4k, and I looked at Untangle, but ran into configuration issues with the Comcast Gateway and my static IP’s.

    So, until I save my pennies to get the upgraded PAN I had to use ufw to block my attacks.

    UFW, or Uncomplicated Firewall, is the default Firewall for Ubuntu. Since my mail server is running Ubuntu, I decided to use this. And it is fairly easy to setup and use.

    First thing I noticed when being attacked is that specific Chinese IP addresses were attacking the server on port 22 and port 80, which are the SSH port and the unencrypted default web server port. So these were going to be the first ones that I setup, however, one thing to note is that when you enabled ufw, it blocks all traffic, which is a good thing really, however, when you rely on email for your job, blocking it all is not good. so I needed to find out what external ports I needed to have open to the public so that it would still work, and which ones I could have just available internally so that I can still work on the servers if I need to.

    First thing I did was look at what ports my server was sharing outside. I did this with the netstat command:

    netstat -an | more

    This command outputs all the interfaces and ports that the server is listening and communicating on. This also tells you who is connected to what service if they have an open session, so this command is pretty important if you are wanting to get into security.

    To make it easy, I needed imap, pop, smtp, ssh, http, https, and ldap.

    I also needed to know what can be internal only and what needs to be exposed to the public so that my email server can still get email.

    Here is what I came up with:

    PortsVisibility
    22 (SSH)Internal
    25 (SMTP)public
    443 (HTTPS)public
    993 IMAPpublic
    465 (SMTPS)public
    587 (SMTP Submission)public
    80 (HTTP)Internal
    110 (POP3)Internal
    143 IMAPInternal
    389 (LDAP)Internal
    995 (IMAPS)Public

    So, now that I have the required information, I can create the rules. They are as simple as doing the following command:

    sudo ufw allow from x.x.x.x/24 to any port 22

    This rule allowed only my internal IPv4 network to connect to the server. I did this for all internal addresses. I also added the specific email external IP address with a /32 to specify only the server could talk to itself on the internal ports. Might have been overkill, but better safe than sorry. For my public rules I did the following command:

    sudo ufw allow from any to any port 443

    This will also create IPv6 rules as well.

    If you accidently create a rule and it isn’t working properly, you can remove the rule by first looking up its number:

    sudo ufw status numbered

    and then:

    sudo ufw delete [rule #]

    Once everything is done, enable the firewall so that the rules will be applied:

    sudo ufw enable

    If you every need to stop the firewall, you can disable it by sudo ufw disable and it will go back to being unsecured.
    I still had to reboot the server after creating the rules and enabling the firewall since sessions were still open but after the reboot, I haven’t had any more issues and email still works. You can look at the syslog to see all the blocks, which is somewhat fullfilling.

    If you have any questions, or if you have any comments, please leave them below!
    Thanks!

  • Setting up Unreal Tournament 2004 Game server on Ubuntu 16.04

    Hey everybody.

    Been a while since I wrote here. Figured I would write up a howto to setting up a Unreal Tournament 2004 server. I really love this game. It brings back tons of memories, playing this when I was in the Navy with my friends on the sub.

    My boys have some break time off from school, and they played a little bit back in the day, so I decided to spin up a server so that we could play. I looked for a way to do this online, and couldn’t find anything so I figured I would write something up, so here you go.

    So, the good thing is that because the game is pretty old now, over 13 years old now, it doesn’t really require a lot of CPU or memory or storage. I deployed a KVM with 2 cores and 4GB of RAM and 20GB storage server running Ubuntu 16.04.3, and got all the updates installed. I then spent the next few hours searching for the ut2004 dedicated server package. Never could find it. Luckily, I had a backup copy, which I have uploaded to this server so you can download it here. You’ll also need the patch, which you can download here.

    I created a directory for the game in /usr/local/games/UT2004 and extracted the .zip here:

    sudo unzip -d /usr/local/games/UT2004 dedicatedserver3339-bonuspack.zip

    Once that was complete, I then untarred the patch and had to manually install it, since it creates a directory called UT2004-Patch so I had to actually go into each directory and move the files into their respective directories in the UT2004 directory. Once that was complete, you now have a system capable of running Unreal Tournament 2004 server. However, I needed to do a couple more things.

    Next, you need to install libstdc++5 package. This is required so that Unreal can run. Run the following command to install libstdc++5:

    sudo apt install libstdc++5

    One, I decided to start the web admin. In the /usr/local/games/UT2004/System/UT2004.ini. Find the UWeb.Webserver section and modify it:

    [UWeb.WebServer]
Applications[0]=xWebAdmin.UTServerAdmin
ApplicationPaths[0]=/ServerAdmin
Applications[1]=xWebAdmin.UTImageServer
ApplicationPaths[1]=/images
bEnabled=True
ListenPort=80

    You can change the ListenPort to what ever you want, you just need to change bEnabled=False to True to enable it.

    Next, I decided that I wanted this to run as a service using SystemD instead of just running in the background with me logged in to the server. Below is my UT2004-Server.service file:

    [Unit]
Description=Unreal 2004 Dedicated Server
After=network.target

[Service]
Type=simple
User=ut2004
WorkingDirectory=/usr/local/games/UT2004/System
ExecStart=/usr/local/games/UT2004/System/ucc-bin-linux-amd64 server CTF-BridgeOfFate?game=XGame.xCTFGame?AdminName=admin?AdminPassword=XXXXXXXX ini=UT2004.ini log=server.log -nohomedir
Restart=on-abort

    Just change the ?AdminPassword= to what you want I then copied the file into /lib/systemd/system and chmod 644 and chown root:root the ut2004-server.service file and now I can control the service with systemctl:

    systemctl start ut2004-server.service and I can get status with systemctl status ut2004-server.service

    One last thing I did as well is I included my cdkey from my game since I was getting errors about a missing cdkey, however, I have tested it, and it is not required. The game will still run, you just can’t advertise your server on the Internet and host Internet games without it, which means your stats also won’t work. You used to be able to download a CD-Key from Epic, but that service is no longer working. I emailed them about this on December 2, 2017 with no reply as to date.

    Happy gaming!

  • Install Ubuntu-Touch on BQ Aquaris M10 FHD

    Hello everyone! This blog entry is mostly for those of you that want to play with Ubuntu-Touch on the BQ Aquaris M10. You can actually purchase this tablet from BQ directly, but they have been sold out for a while, and I really wanted to have one.

    So, I bought the Android version, which isn’t too different in specs. However, it comes running Android Marshmallow. I played around with it for a day just because I haven’t played with Android in a while, and realized a lot has changed since Froyo, which was the last version I played with. After the nostalgia ran off, I decided to start trying to install Ubuntu on my device.

    First thing I did was go to Installing Ubuntu on Devices website. I found all the details of setting up my build machine to handle this.

    First thing I did was install the ppa for the Ubuntu SDK and for the phablet-tools package.

    sudo add-apt-repository ppa:ubuntu-sdk-team/ppa

    Then run sudo apt update to get my repo locations updated to use the ppa.

    It than install the ubuntu-device-flash which is what does all the heavy lifting and getting the image on the device. I also install adb, which is Android Debug Bridge application which is needed to manage the device and get access to the internal bits of the device, and fastboot which manages the device when its in the bootloader.

    sudo apt install ubuntu-device-flash phablet-tools

    After I had all the required tools on my laptop, I was ready to start. First thing I did was I had to put my M10 into Developer Mode. To do this, Click on System and go to About. Click the Build seven times. It will start a countdown on the screen saying “Press x time to enable Developer Mode.” Once done, go back and you will see Developer Options on the screen next to About. Select it and enabled OEM Unlock Bootloader, which it will bring up a prompt asking if you are sure since this does void the warranty, and it warms you every time you reboot the device saying it is in Orange State and can’t be protected and delays the boot by five seconds. Select Yes and then Enable USB Debug and turn off Protect ADB APK uploads. Probably isn’t necessary, but I did it anyways.

    Now, plug your USB cable into your laptop and your device, You will get a prompt on the tablet asking if you trust this device, click the check to always trust and say Yes. You can now use the adb command on the laptop to control the tablet.

    First, check that your laptop sees everything:

    adb devices

    You should get a return of the M10’s serial number and the word device next to it. We are now ready to go into the Bootloader. Do this from adb:

    adb reboot bootloader

    The device will reboot, give you the warning that I mentioned above about being Unlocked and unprotected, and then a blank screen with Fastboot Loader on the bottom. This is the fastboot bootloader. We now have to unlock the device:

    Make sure you can communicate with the device with fastboot:

    fastboot devices

    You should get a return of the M10’s serial Number and fastboot on the same line.

    You unlock the device by typing:

    fastboot oem unlock

    You will get a prompt on the device saying Press Volume + to Unlock and Volume – to cancel. Press Volume + on the device and you will get a confirmation saying device unlocked and on your Laptop it will say OKAY and exit. Now we can reboot the device again.

    fastboot reboot

    Now, it will start back up in Android, after about 10 minutes. You will have to reconfigure the device, basically I skip everything until I can get to the point where I can turn the device off. I turn it off and then I turn it back on, but when I press the power button, I also hold down the Volume + button at the same time. This will cause the M10 to go into Recovery Mode. Once The Screen comes up saying Powered by Android and you get the Unlocked Warning again, you can release the power button, but keep pressing the Volume + button until you get the Fastboot screen. Verify you can communicate to the device:

    fastboot devices

    You should get the serial number and fastboot on the same line. Now we can install Ubuntu….kind of.

    First, you need to download the recovery image from Ubuntu since the built in one on the device does not allow adb. Depending if you have the M10 FHD or just the M10, you need a specific image. Since I was using the FHD, I need the frieza image. You can download them by clicking the appropriate link from this page.

    Run the following to start the process:

    ubuntu-device-flash -v touch \
--channel=ubuntu-touch/stable/bq-aquaris-pd.en \
--device=frieza --bootstrap \
--recovery-image=recovery-frieza.img

    It will download and start copying all the required files for the device. Unfortunately, it will fail. The Android partition layout is way to small for Ubuntu recovery. So, after it fails, you can wipe the cache from the device. Next, you will use adb to manage the partitions.

    First, you need to download parted for Android. Luckly, I have a version here you can use. Download this and untar it and then move it to the /sbin directory on your device:

    tar xf parted-android-32.tgz
adb push parted /sbin
adb shell chmod +x /sbin/parted

    Now we are ready to do some “damage” to the device.

    NOTE: Word of caution here. We are going to delete and grow 3 file systems on the device. Please follow these directions closely and watch out for typos. You don’t want that otherwise we have to start all over again.

    First, run adb shell. You are now on the console of the device as root. If you run df -h you’ll notice that /cache is out of space, and it’s only a little over 400MB in size. No where near the size we need since we have a little over 870MB of files we need to upload before we can install Ubuntu. The other thing you’ll notice once we get into the partitioning, is that the /system directory is only 1.5GB in size, and Ubuntu needs at least 4GB for the installation. However, the userdata partition is 15GB in size, so we are going to steal from there to repurpose to these other partitions.

    First thing to do is run parted /dev/block/mmcblk0

    Type p to list the partitions, there are 24 partitions. We are only concerned with 21, 22, and 23. First change the unit to bytes, unit b and then run p again to get that readout:

    p
Model: MMC 016G70 (sd/mmc)
Disk /dev/block/mmcblk0: 15758000128B
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number Start End Size File system Name Flags
1 524288B 3670015B 3145728B proinfo
2 3670016B 8912895B 5242880B nvram
3 8912896B 19398655B 10485760B protect1
4 19398656B 29884415B 10485760B protect2
5 29884416B 80216063B 50331648B persist
6 80216064B 80478207B 262144B seccfg
7 80478208B 80871423B 393216B lk
8 80871424B 97648639B 16777216B boot
9 97648640B 114425855B 16777216B recovery
10 114425856B 120717311B 6291456B secro
11 120717312B 121241599B 524288B para
12 121241600B 129630207B 8388608B logo
13 129630208B 140115967B 10485760B expdb
14 140115968B 141164543B 1048576B frp
15 141164544B 146407423B 5242880B tee1
16 146407424B 151650303B 5242880B tee2
17 151650304B 153747455B 2097152B kb
18 153747456B 155844607B 2097152B dkb
19 155844608B 189399039B 33554432B metadata
20 189399040B 201326591B 11927552B custram
21 201326592B 1811939327B 1610612736B ext4 system
22 1811939328B 2256535551B 444596224B ext4 cache
23 2256535552B 15616966655B 13360431104B userdata
24 15616966656B 15757983231B 141016576B flashinfo

    Note the start and ends for the partitions 20 and 24. Partition 21 will start with 201326592 which is +1 from the end of the previous partition. We need to do this for each partition we are growing so that they are uniform and not overlapping and cause problems.

    First we need to delete the three partitions:

    rm 21
rm 22
rm 23

    Now we are ready to recreate them, only larger in size. Since we are using bytes, the numbers are quite large, and need to equal logical sizes. Basically, do the math of starting byte, add the amount of more space you want, make that the end byte, then the next partition starts on the +1 of the last end byte until you get to partition 23, which you will end -1 byte of where partition 24 starts. So partition 23 will end with 15616966655. If you use the values that I did, you will end up with a system partition of 4.3GB, cache of 1.07GB, and a userdata of 9.6GB:

    mkpart primary 201326592 4496294399
mkpart primary 4496294400 5570036224
mkpart primary 5570036736 15616966655
name 21 system
name 22 cache
name 23 userdata
quit

    We now need to format the volumes:

    mke2fs -t ext4 /dev/block/mmcblk0p21
mke2fs -t ext4 /dev/block/mmcblk0p22
mke2fs -t ext4 /dev/block/mmcblk0p23

    Now, on the device, use the Volume – to select reboot into bootloader and press the Power button to select it. The device will reboot and you will be brought back to the screen where it just says FASTBOOT on the bottom.

    Now we can start the flash again, and this time it will work:

    ubuntu-device-flash -v touch \
--channel=ubuntu-touch/stable/bq-aquaris-pd.en \
--device=frieza --bootloader \
--recovery-image=~/frieza-recovery.img

    Once the installation is done, you will have Ubuntu running on your device. It takes about 10 minutes to install, but after the reboot, the initial splash screen will have the BQ logo but say powered by Ubuntu and you won’t have the annoying Unlocked Device unprotected alert any more.

    Let me know in the comments if you have any issues! Happy Hacking!

  • Livepatching the Kernel in Ubuntu 16.04 LTS

    Hello everyone and Happy New Year! I hope 2017 has started great for everyone out there.

    So I have been playing around with Canonical’s Livepatch service on my Ubuntu 16.04 servers and I have to say, it is pretty slick. I run two KVM hosts that run various servers and containers so that I can do my job. In fact, this web server runs as a KVM on one of my hosts. Since I can’t typically run kernel updates and reboot when ever I feel like since I have other work loads running on these servers, Canonical Livepatch answers this problem for me.

    How it works is pretty simple. When a security patch for the Kernel comes out, this service downloads the patch and installs it in the running kernel on my system WITHOUT HAVING TO REBOOT MY SERVER!!! That is amazing!! I get the security update to patch and make my system secure and I don’t have to schedule a maintenance window and bring down 20+ VM’s and 100+ containers, I can just update the host and BAM! All my containers and my hosts are updated, no reboot, no downtime. I still have to touch all my KVM’s, but that is the way when you run VM’s.

    So you want to try this out? It’s pretty simple to setup. First, it only works on Ubuntu 16.04 LTS. This “should” change to be available in 14.04 but as of when I wrote this, it was still not yet available on 14.04.

    The Kernel Livepatch is a snap application, making use of snaps on the system. This makes it even easier to install and update. To install on your system, it is as simple as:

    sudo snap install canonical-livepatch

    This will pull down the snap application and install and start it. Now, you have to enable the service. You need to go to https://auth.livepatch.canonical.com to sign up for the service. Regular Ubuntu users are authorized up to 3 machines to get Livepatches for. If you need more, you can purchase them via support for your systems. Once you are signed up, you will have a token that you use to add your systems.

    You then run:

    sudo canonical-livepatch enable <TOKEN>

    This will setup livepatch. To see it work, simply run

    canonical-livepatch status --verbose

    and you will get the following output:

    client-version: "6"
machine-id: --REMOVED--
machine-token: --REMOVED--
architecture: x86_64
cpu-model: Intel(R) Xeon(R) CPU           E5645  @ 2.40GHz
last-check: 2017-01-11T15:21:36.477627539-08:00
boot-time: 2016-11-28T09:16:56-08:00
uptime: 1062h5m33s
status:
- kernel: 4.4.0-47.68-generic
  running: true
  livepatch:
    checkState: checked
    patchState: applied
    version: "15.1"
    fixes: |-
      * CVE-2016-7425
      * CVE-2016-8655
      * CVE-2016-8658

    I have those CVE’s installed, and I didn’t have to reboot my system for them to be implemented.  Now my KVM host is patched, and I had 0 downtime to do it.

    There you have it. Let me know in the comments if you have any questions!