Archive

Archive for February, 2011

Relaying Postfix SMTP via smtp.gmail.com

February 4, 2011 Leave a comment

Install the required packages

sudo aptitude install postfix libsasl2 ca-certificate libsasl2-modules

Configure Postfix

This tutorial will not outline how to configure your postfix server, but we’ll jump directly to the relayhost section.  You’ll want to add the following lines to your /etc/postfix/main.cf file:

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes

The above lines are telling Postfix that you want to relay mail through gmail on a specific port, telling it to authenticate, and where to find the username and password.  The last three lines specify the authentication types supported, where the certificate authority file is and that it should use tls.

Define Username and Password

Next we’ll need to populate the sasl_passwd file.  Create the file /etc/postfix/sasl_passwd with the following contents:

[smtp.gmail.com]:587    username@gmail.com:password      (If you have customized domain just replace @gmail.com by @yourdomain)

This file should have restrictive permissions and then needs to be translated into a .db that Postfix will read.

sudo chmod 400 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd

At this point you can restart Postfix and it should work, however it will complain about not being able to authenticate the certificate.  To take care of this issue we’ll use the ca-certificate package we installed and tell it where it can validate the certificate.

cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem

Go ahead and reload postfix (sudo /etc/init.d/postfix reload) .

Done!

 

Categories: Linux, Web Dev

Using sudo, ssh, rsync on the Official Ubuntu Images for EC2

February 4, 2011 Leave a comment

The official Ubuntu images for EC2 do not allow ssh directly to the root account, but instead provide access through a normal “ubuntu” user account. This practice fits the standard Ubuntu security model available in other environments and, admittedly, can take a bit of getting used to if you are not familiar with it.

This document describes how to work inside this environment using the “ubuntu” user and thesudo utility to execute commands as the root user when necessary.

SSH

First, to connect to an instance of an official Ubuntu image for EC2, you need to ssh to it as “ubuntu” instead of as “root”. For example:

ssh -i KEYPAIR.pem ubuntu@HOSTNAME

Note that existing EC2 documentation and tools like the EC2 Console and Elasticfox assume that all EC2 instances accept connections to root, so you’ll have to remember this change.

If you accidentally ssh to root on one of the official Ubuntu images, a short message will be output reminding you to use “ubuntu” instead.

SUDO

When logged in under the “ubuntu” user, you can run commands as root using the sudocommand. For example:

sudo apt-get update && sudo apt-get upgrade -y

Note that sudo clears the environment variables before running the command. If you need to have them set, then use the sudo -E option.

SUDO PASSWORD

The official Ubuntu images for EC2 are configured so that no password is required for sudo from the “ubuntu” user. Yes, this sacrifices a bit of security from standard Ubuntu operation, but any published hardcoded password would be more insecure, and randomly assigned passwords quickly become unmanageable when running many instances, in addition to preventing some types of remote automation described below.

Note that this policy does not allow logging in to the “ubuntu” user without a password. The password is disabled for login and not required for sudo. Login is done through the usual EC2 ssh keypair management as described above.

If you wish to increase security in this area, set the ubuntu user password and adjust the/etc/sudoers file.

sudo passwd ubuntu
sudo perl -pi -e 's/^(ubuntu.*)NOPASSWD:(.*)/$1$2/' /etc/sudoers

Make sure you set the password successfully first and remember it. If you change the sudoersfile first, you will be stuck with no root access on that instance.

ROOT SHELL

If you want to switch to a root shell once you are logged in to the “ubuntu” user, simply use the command:

sudo -i

This is generally not recommended as it loses the enhanced logging of commands used as root and you risk accidentally entering commands when you did not intend to use root.

SSH SUDO

To automate a remote command as root from an external system, connect to “ubuntu” and usesudo:

ssh -i KEYPAIR.pem ubuntu@HOSTNAME 'sudo apt-get install -y apache2'

RSYNC

Now for the trickiest one. Sometimes you want to rsync files from an external system to the EC2 instance and you want the receiving end to be run as root so that it can set file ownerships and permissions correctly.

rsync -Paz --rsh "ssh -i KEYPAIR.pem" --rsync-path "sudo rsync"   LOCALFILES ubuntu@HOSTNAME:REMOTEDIR/

The --rsh option specifies how to connect to the EC2 instance using the correct keypair. The command in the --rsync-path option makes sure rsync is running as root on the receiving end.

The -Paz options are just some of my favorites. They aren’t a key part of this rsync approach.

In order for this method to work, the “ubuntu” user must be able to sudo without a password (which is the default on the official Ubuntu images as described above).

ROOT SSH

Finally, if you wish to circumvent the Ubuntu security standard and revert to the old practice of allowing ssh and rsync as root, this command will open it up for a new instance of the official Ubuntu images:

ssh -i KEYPAIR.pem ubuntu@HOSTNAME   'sudo cp /home/ubuntu/.ssh/authorized_keys /root/.ssh/'

This is not recommended, but it may be a way to get existing EC2 automation code to continue working until you can upgrade to the sudo practices described above.

SEE ALSO

For more information on recommended sudo practices in Ubuntu, please refer to:

https://help.ubuntu.com/community/RootSudo

Categories: Amazon Cloud

Install Asterisk1.8 on Ubuntu 10.10 Server

February 4, 2011 1 comment

Install mysql (You should enter the password for the mysql root user; for example 1234):

aptitude update
aptitude install -y mysql-server

Install all other dependencies we will need later:

aptitude install -y build-essential linux-headers-`uname -r` openssh-server bison flex apache2
php5 php5-curl php5-cli php5-mysql php-pear php-db php5-gd curl sox libncurses5-dev libssl-dev
libmysqlclient15-dev mpg123 libxml2-dev

Download all the asterisk source packages that we are going to compile:

cd /usr/src/
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.8.2.3.tar.gz
tar xzvf asterisk-1.8.2.3

Once we have all the sources we will compile them. Reading the relevant configuration, at least

read the README file, it is always a good idea.

cd asterisk-1.8.2.3
./configure
make
make install

install the sample configurations:

make samples

Now we start doing some adjustments to make our installation work. We create the user “asterisk” and

add the apache user to the “asterisk” group (not sure if this is needed):

adduser asterisk --disabled-password --no-create-home --gecos "asterisk PBX user"
adduser www-data asterisk

Change the default user and group for apache to asterisk in apache2.conf (this is also a step that

doesn’t convince me much, but as it is just a test, lest follow the directives of the original script):

cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf_orig
sed -i 's/^\(User\|Group\).*/\1 asterisk/' /etc/apache2/apache2.conf

In the original script it is also proposed to modify the sha-bang of the /usr/sbin/safe_asterisk script

from sh to bash:

nano /usr/sbin/safe_asterisk

change the first line from

#!/bin/sh

to

#!/bin/bash

Now create the script that will manage the asterisk service. Here I haven’t made any changes on

the original script, I’ve just added the basic information (init info) that should carry every init script:

cat > /etc/init.d/asterisk <&2
    exit 3
;;

esac

exit 0
END_STARTUP

make appropriate modifications to the asterisk init script to make it available at booting:

chmod 755 /etc/init.d/asterisk
update-rc.d asterisk defaults 90 10

We are almost done. Now we are going to install FreePBX, the graphical interface that we will install

to manage Asterisk (now here comes the chaos; IMHO the following steps reorganized would be better):

cd /usr/src/
wget -O - http://mirror.freepbx.org/freepbx-2.7.0.tar.gz | tar xvfz -
cd freepbx-2.7.0/

Copy amportal.conf configuration file to /etc/:

cp amportal.conf /etc/

Create the databases. Remember that we had used “1234” as the password for our mysql root user.

Also we define a password for the asterisk database, eg 4321:

export MYSQL_ROOT_PW=1234
export ASTERISK_DB_PW=4321
mysqladmin -u root -p${MYSQL_ROOT_PW} create asterisk
mysqladmin -u root -p${MYSQL_ROOT_PW} create asteriskcdrdb
mysql -u root -p${MYSQL_ROOT_PW} asterisk < SQL/newinstall.sql
mysql -u root -p${MYSQL_ROOT_PW} asteriskcdrdb < SQL/cdr_mysql_table.sql
mysql -u root -p${MYSQL_ROOT_PW} <<-END_PRIVS
GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY "${ASTERISK_DB_PW}";
GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY "${ASTERISK_DB_PW}";
flush privileges;
END_PRIVS

And slightly modify the settings in /etc/amportal.conf (in the original script this is done before

installing freepbx, so we do it too):

sed -i "s/# \(AMPDBUSER=.*\)/\1/" /etc/amportal.conf
sed -i "s/# \(AMPDBPASS=\).*/\1${ASTERISK_DB_PW}/" /etc/amportal.conf
sed -i "s@\(AMPWEBROOT=\).*@\1/var/www/@"  /etc/amportal.conf
sed -i "s@\(FOPWEBROOT=\).*@\1/var/www/panel@" /etc/amportal.conf
sed -i "s@\(FOPWEBADDRESS=\).*@PUTIPADDRESS@" /etc/amportal.conf

Adjust some PHP.ini settings related to the use of memory (in the original script there are some changes

that are not necessary for lucid):

sed -i 's/\(^upload_max_filesize = \).*/\120M/' /etc/php5/apache2/php.ini

Change the permissions of a series of directories:

chown asterisk. /var/run/asterisk
chown -R asterisk. /etc/asterisk
chown -R asterisk. /var/{lib,log,spool}/asterisk
chown -R asterisk. /var/www/

We enable the asterisk configuration as it is indicated in /etc/asterisk/asterisk.conf by removing the

trailing characters in the first line:

sed -i '1 s/\(\[directories\]\).*/\1/' /etc/asterisk/asterisk.conf

At last! lets install freepbx:

./start_asterisk start
./install_amp

Restart apache2 and dahdi:

/etc/init.d/apache2 restart
/etc/init.d/dahdi restart

Finally (it seems necessary):

ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3
amportal start

That’s all; we can connect to the management interface of or new virtual ippbx at http://ip/admin/

A reboot shows that everything works!

Categories: Asterisk, Freepbx Tags: ,

Make a Sitemap for Search Engines

February 4, 2011 Leave a comment

add following line to your robots.txt

Sitemap: http://www.example.com/name-of-sitemap-file.xml

Create a Sitemap File

A sitemap file that follows the Sitemap Protocol is just a straightforward ASCII text file. You can create it using any ordinary ASCII text editor. If you use Windows, Notepad (found in the Accessories folder of your Start menu) can be used. Do not use a word processor like Microsoft Office or Word.

By way of example, take a look at the following .
Example file:

<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url><loc>http://example.com/</loc></url>
<url><loc>http://example.com/thesitewizard-is-helpful.html</loc></url> 
<url><loc>http://example.com/thesitewizard-is-wonderful.html</loc></url>  
<url><loc>http://example.com/all-hail-thesitewizard.html</loc></url>
</urlset>

Place two files onto the root directory of your web host.

Categories: Web Dev