Mixing Stable, Unstable, Testing and Experimental Packages in Debian

This is a very useful article from ServerFault on installing mixed packages in Debian.

Many people seem to be afraid of mixing stable with testing, but frankly, testing is fairly stable in its own right, and with proper preferences and solution checking, you can avoid the stability drift that puts your core packages on the unstable path.

Testing is fairly stable??, you ask. Yes. In order for a package to migrate from unstable to testing, it has to have zero open bugs for 10 consecutive days. Chances are that, especially for the more popular packages, somebody is going to submit a bug report for an unstable version if something is wrong.

Even if you don’t want to mix the environments, it’s still nice to have the option there in case you run into some thing that requires a newer version than what is in stable.

Here’s what I recommend for setting this up:

First, create the following files in /etc/apt/preferences.d:

security.pref:

Package: *
Pin: release l=Debian-Security
Pin-Priority: 1000

stable.pref:

Package: *
Pin: release a=stable
Pin-Priority: 900

testing.pref:

Package: *
Pin: release a=testing
Pin-Priority: 750

unstable.pref:

Package: *
Pin: release a=unstable
Pin-Priority: 50

experimental.pref:

Package: *
Pin: release a=experimental
Pin-Priority: 1

(Don’t be afraid of the unstable/experimental stuff here. The priorities are low enough that it’s never going to automatically install any of that stuff. Even the testing branch will behave, as it’s only going to install the packages you want to be in testing.)

Now, creating a matching set for /etc/apt/sources.list.d:

security.list:

deb     http://security.debian.org/         stable/updates  main contrib non-free
deb     http://security.debian.org/         testing/updates main contrib non-free

stable.list:

deb     http://mirror.steadfast.net/debian/ stable main contrib non-free
deb-src http://mirror.steadfast.net/debian/ stable main contrib non-free
deb     http://ftp.us.debian.org/debian/    stable main contrib non-free
deb-src http://ftp.us.debian.org/debian/    stable main contrib non-free

testing.list: Same as stable.list, except with testing.

unstable.list: Same as stable.list, except with unstable.

experimental.list: Same as stable.list, except with experimental.

You can replace the steadfast.net mirror with whatever you want. I’d recommend using netselect-apt to figure out the fastest mirror, and use that for your first choice. The ftp.us.debian.org can be used as a backup. It’s also important to use the terms stable, testing, unstable, etc., instead of squeeze, wheezy, sid, etc., since stable is a moving target and when it comes time to upgrade to the latest stable, apt/aptitude will figure that out automatically.

You can also add a oldstable in sources.lists.d and preferences.d (use a priority of 1), though this moniker will tend to expire and disappear before the next stable cycle. In cases like that, you can use http://archive.debian.org/debian/ and hardcode the Debian version (etch, lenny, etc.).

To install the testing version of a package, simply use aptitude install lib-foobar-package/testing, or just jump into aptitude’s GUI and select the version inside of the package details (hit enter on the package you’re looking at).

If you get complaints of package conflicts, look at the solutions first. In most cases, the first one is going to be don’t install this version. Learn to use the per-package accept/reject resolver choices. For example, if you’re installing foobar-package/testing, and the first solution is don’t install foobar-package/testing, then mark that choice as rejected, and the other solutions will never veer to that path again. In cases like these, you’ll probably have to install a few other testing packages.

If it’s getting too hairy (like it’s trying to upgrade libc or the kernel or some other huge core system), then you can either reject those upgrade paths or just back out of the initial upgrade altogether. Remember that it’s only going to upgrade stuff to testing/unstable if you allow it to.

Observium Notes

A few notes on my Observium setup on a Debian 8 Jessie system. All configuration options and details can be found at the Observium documentation page.

Bad Interfaces

These entries are in /opt/observium/config.php

$config['bad_if'][] = voip-null;
$config['bad_if'][] = virtual-;
$config['bad_if_regexp'][] = /serial[0-9]:/;
$config['bad_if'][] = loopback;
$config['bad_if'][] = lo;
$config['bad_if'][] = dummy;
$config['bad_if_regexp'][] = /tunnel_[0-9]/;
$config['bad_iftype'][] = voiceEncap;

Other Configuration Options

A few other customizations in the /opt/observium/config.php file.

$config['rrdgraph_real_95th'] = TRUE;
$config['allow_unauth_graphs']    = 1;
$config['login_message']    = Unauthorised access shall render the user liable to criminal and/or civil prosecution.;
$config['page_title_prefix'] = Rich Kreider - Monitoring :: ;

ManageEngine ServiceDesk Plus MSP – Bind to Specific IP

I’m testing out ManageEngine ServiceDesk Plus MSP and trying to get it to bind to a specific IP address on my Linux server to no avail.

Documentation from 2005, 2008, 2011 and 2014 all indicate to modify server/default/conf/TrayIconInfo.xml and add the following changes:

<SDP-PROPERTIES RequestScheme="http" WebPort="80" ipToBind="ww.xx.yy.zz"/>
 <ADDITIONALPARAMS ParamName="ipToBind" ParamValue="-bww.xx.yy.zz"/>

This doesn’t work and still listens on all interfaces causing my other services a conflict.

Eventually if I figure this out, I’ll put a note here for my future reference.

Windows 10 with Ubuntu: Bash + Conky + Firefox

2016-07-12_165719

Install the Windows Subsystem for Linux (Beta)

2016-07-12_170013

Set Windows 10 Developer Mode

2016-07-12_170058

Install X Server in Windows

I prefer Xming;  get it and install it from here:  http://sourceforge.net/projects/xming/files/latest/download

The defaults should work just fine.

Install stuff in Bash

2016-07-12_174934Open a Bash prompt;  you can hit the Windows Key and start typing bash (without quotes).  It’ll go through some installation stuff the first time you run it… give it a minute or two.

When it’s all done, time to install things…

Install some things in Bash.  I’m just going to install Firefox and Conky.

$ sudo apt-get install firefox conky

My conkyrc

The own_window_transparent yes causes weird issues for me; so I commented that out.

~/.conkyrc

own_window yes
#own_window_transparent yes
own_window_type desktop
own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager
own_window_argb_visual true
own_window_argb_value 0
out_to_console no
use_xft yes
xftfont cure:size=10
update_interval 2
cpu_avg_samples 2
net_avg_samples 2
double_buffer yes
maximum_width 320
draw_shades no
draw_outline no
draw_borders no
stippled_borders 1
border_width 20
default_color white
default_shade_color white
default_outline_color white
alignment top_right
gap_x 15
gap_y 0
use_spacer left
no_buffers yes
uppercase no

TEXT


${color}${alignc}${time %A %B %d %Y | %H:%M:%S}

${alignc}$color Linux $kernel on $machine

${color}${alignc}${color lightgrey}Uptime: ${color}$uptime | ${color lightgrey}Load: $color$loadavg${color lightgrey}

${color lightgrey}${alignc}Battery :$color ${battery} | ${color lightgrey}Time: ${color}$battery_time
${alignc}${color #FFEF00}${battery_bar 8,278}
${color #656565}$stippled_hr$color
${alignc}${color lightgrey}${execi 1000 cat /proc/cpuinfo | grep 'model name' | sed -e 's/model name.*: //'| uniq}

${alignc}${color lightgrey}Total CPU Usage: ${color}${cpu cpu0}%
${alignc}${color #FFEF00}${cpubar cpu0 6,150}$color

${color lightgrey}Core: ${color}1 ${color #FFEF00}${cpubar cpu1 6,270}$color $alignc
${color lightgrey}Core: ${color}2 ${color #FFEF00}${cpubar cpu2 6,270}$color $alignc
${color lightgrey}Core: ${color}3 ${color #FFEF00}${cpubar cpu3 6,270}$color $alignc
${color lightgrey}Core: ${color}4 ${color #FFEF00}${cpubar cpu4 6,270}$color $alignc

${alignc}${color lightgrey}CPU Temperature: ${color}${hwmon 1 temp 1}C
${color #656565}$stippled_hr$color
${alignc}${color lightgrey}Resources

${color lightgrey}Ram ${alignc} ${color}$mem / $memmax ${alignr}${memperc}% Used
${color #FFEF00}${membar 6,318}
${color lightgrey}Swap ${alignc} ${color}${swap} / ${swapmax} ${alignr}${swapperc}% Used
${color #FFEF00}${swapbar 6,318}
${color lightgrey}Disk ${alignc} ${color}${fs_used} / ${fs_size} ${alignr}${fs_used_perc /}% Used
${color #FFEF00}${fs_bar 6,318 /}

${color lightgrey}Disk IO: $color ${diskio /dev/sda} ${alignr}${color lightgrey}Filesystem: ${color}${fs_type}
${color #656565}$stippled_hr$color
${alignc}${color lightgrey}Processes

${color lightgrey} PID Process${alignr}Memory CPU
${color}${top pid 1} ${top name 1}${alignr}${top mem_res 1} ${top cpu 1}%
${color}${top pid 2} ${top name 2}${alignr}${top mem_res 2} ${top cpu 2}%
${color}${top pid 3} ${top name 3}${alignr}${top mem_res 3} ${top cpu 3}%
${color}${top pid 4} ${top name 4}${alignr}${top mem_res 4} ${top cpu 4}%
${color}${top pid 5} ${top name 5}${alignr}${top mem_res 5} ${top cpu 5}%
${color}${top pid 6} ${top name 6}${alignr}${top mem_res 6} ${top cpu 6}%
${color}${top pid 7} ${top name 7}${alignr}${top mem_res 7} ${top cpu 7}%
${color}${top pid 8} ${top name 8}${alignr}${top mem_res 8} ${top cpu 8}%
${color}${top pid 9} ${top name 9}${alignr}${top mem_res 9} ${top cpu 9}%
${color}${top pid 10} ${top name 10}${alignr}${top mem_res 10} ${top cpu 10}%
${color #656565}$stippled_hr$color

E233: cannot open display

Trying to launch Firefox or Conky results in the error:  E233: cannot open display.

This is because we need to set the DISPLAY variable.  I prefer adding to my ~/.bashrc file.

So add the following line to the end of your ~/.bashrc:

export DISPLAY=:0

Save and close the Windows Bash prompt and re-open it.

Observium nfsen configuration notes

Hacked my way through getting Observium to pick up the nfsen RRD so that I see the Netflow tab in the device in Observium.

2016-06-16_153005

Here’s what I did…

Install Prerequisite Software

apt-get install gcc flex librrd-dev make librrdp-perl librrds-perl libsocket6-perl libmailtools-perl mrtg rrdtool

Install nfdump

Download nfdump from SourceForge: https://sourceforge.net/projects/nfdump/files/stable/nfdump-1.6.13/

tar zxvf nfdump-1.6.13.tgz
cd nfdump-1.6.13/
./configure --enable-nfprofile --enable-nftrack
make && make install

Install nfsen

Download nfsen from SourceForge: https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.7/

tar zxvf nfsen-1.3.7.tgz
cd nfsen-1.3.7
cp etc/nfsen.conf.dist etc/nfsen.conf

Make configuration changes to nfsen

Modify etc/nfsen.conf

$USER = www-data;

$WWWUSER = www-data;

$WWWGROUP = www-data;

%sources = (

'routername' => { 'port' => '9996', 'col' => '#0000ff', 'type' => 'netflow', 'IP' => '1.2.3.4' },

);

$MAIL_FROM = 'me@domain.com';

$SMTP_SERVER = 'mail.domain.com';

Save the file and then make a directory where nfsen will store data.

mkdir -p /var/nfsen
./install.pl etc/nfsen.conf

Start nfsen

cd /var/nfsen/bin
./nfsen start

Configure to start nfsen automatically at reboot.

ln -s /var/nfsen/bin/nfsen /etc/init.d/nfsen
update-rc.d nfsen defaults 20

Configure Apache2

Configure Apache2 so we can access nfsen while still using observium.

Make a directory to store nfsen HTML files

mkdir -p /var/www/html/nfsen

Edit /etc/apache2/conf-enabled/observium.conf and add the following line before the closing </VirtualHost>.

Alias /nfsen /var/www/html/nfsen

Restart Apache2

service apache2 restart

At this point you should be able to access http://yourip/nfsen/nfsen.php

Cannot create graph

If you see that error, check permissions of /var/nfsen and make sure it is accessible by www-data specified in /var/nfsen/etc/nfsen.conf.

Observium Configuration

Note: The %source in /var/nfsen/etc/nfsen.config must match the host you are using in Observium and it is case sensitive.

So I had a hard time with Observium configuration and decided to just hack it up.

I have Observium installed in /opt/observium, so substitute accordingly.

Add the following to /opt/observium/config.php.

$config['nfsen_enable'] = 1;
$config['nfsen_rrds'] = /var/nfsen/profiles-stat/live/;
$config['nfsen_split_char'] = ;
$config['nfsen_suffix'] = ;

Enjoy your graphs.

2016-06-16_155352

ISPConfig, Dovecot, Postfix and LetsEncrypt SSL

Please See: https://www.howtoforge.com/community/threads/lets-encrypt-working-with-ispconfig-interface-postfix-dovecot-tls-pure-ftpd-monit.75546/

ARCHIVED

I successfully configured Dovecot and Postfix to use my LetsEncrypt SSL certificate for my mail domain.

Generate SSL Certificate

When I installed ISPConfig 3.1b, I followed instructions on setting up LetsEncrypt which placed it in /opt/letsencrypt; If you have LetsEncrypt installed elsewhere, substitute the path below with the correct path.

I run in standalone mode so I need to stop Apache2.

service apache2 stop

Create the certificate.

Update: 12/2016 Install the certbot tool following this guide for Debian Jessie 8:  https://certbot.eff.org/all-instructions/#debian-8-jessie-apache

certbot certonly --standalone -d mail.techish.net

The certificate now lives in /etc/letsencrypt/live/mail.techish.net/

Configure Dovecot

I modified /etc/dovecot/conf.d/10-ssl.conf and added the following lines:

ssl = yes
ssl_cert = </etc/letsencrypt/live/mail.techish.net/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.techish.net/privkey.pem

Then I restarted Dovecot

service dovecot restart

That didn’t seem to work;  it was still publishing an invalid certificate, so I had a look around at more configuration files.

I then modified /etc/dovecot/dovecot.conf file.  In this file I saw the ssl_cert and ssl_key variables and I also noted the protocols. The bolded items are what I changed/added.

protocols = imap pop3 imaps pop3s
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
#ssl_cert = </etc/postfix/smtpd.cert
#ssl_key = </etc/postfix/smtpd.key
ssl_cert = </etc/letsencrypt/live/mail.techish.net/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.techish.net/privkey.pem

I then restarted Dovecot

service dovecot restart

Configure Postfix

I looked at /etc/postfix/main.cf and noted that the cert was pointed to /etc/postfix/ directory. I decided to backup the certs that existed and then create a symlink.

smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key

Backup and create symlinks.

cd /etc/postfix
mkdir ssl-backup
mv smtpd.* ssl-backup/
ln -s /etc/letsencrypt/live/mail.techish.net/fullchain.pem smtpd.cert
ln -s /etc/letsencrypt/live/mail.techish.net/privkey.pem smtpd.key

Restart Postfix

service postfix restart

Test Internet Speed on Linux Terminal

Instead of visiting sites like Speedtest.net through a browser, you can install speedtest-cli package on Linux and test bandwidth speeds from the command line.

$ apt-get install speedtest-cli

Here’s an example running the command.

root@zabbix:~# speedtest-cli
Retrieving speedtest.net configuration...
Retrieving speedtest.net server list...
Testing from Level 3 Communications (4.49.115.30)...
Selecting best server based on latency...
Hosted by Armstrong (Butler, PA) [44.33 km]: 13.106 ms
Testing download speed........................................
Download: 14.40 Mbits/s
Testing upload speed..................................................
Upload: 0.65 Mbits/s

DNS Caching for Spamassassin RBLs

So I’m tweaking the mail filter server which is a Debian Linux server running Postfix, MailScanner and SpamAssassin.

I just wanted to share some of the performance improvements after installing pdns-recursor for local caching.

Install PowerDNS

root@mxfilter:~# apt-get install pdns-recursor

Obtain a sample spam email

root@mxfilter:~# wget http://people.apache.org/~wtogami/sample-spam.eml

First Test

root@mxfilter:~# cat sample-spam.eml | spamassassin -D 2>&1 | grep 'async: timing' | sed 's/^.*dbg: async: //'
timing: 0.740 . dns:A:45.135.176.118.iadb.isipp.com.
timing: 0.741 . dns:A:45.135.176.118.dnsbl.sorbs.net.
timing: 0.749 . dns:TXT:45.135.176.118.sa-accredit.habeas.com.
timing: 0.749 . dns:A:45.135.176.118.bb.barracudacentral.org.
timing: 0.750 . dns:TXT:45.135.176.118.bl.spamcop.net.
timing: 0.752 . dns:A:45.135.176.118.psbl.surriel.com.
timing: 0.753 . dns:A:45.135.176.118.list.dnswl.org.
timing: 0.756 . dns:A:45.135.176.118.zen.spamhaus.org.
timing: 0.758 . dns:A:45.135.176.118.bl.score.senderscore.com.
timing: 1.790 . dns:TXT:45.135.176.118.sa-trusted.bondedsender.org.

Second Test

timing: 0.002 . dns:A:45.135.176.118.iadb.isipp.com.
timing: 0.006 . dns:TXT:45.135.176.118.sa-accredit.habeas.com.
timing: 0.012 . dns:A:45.135.176.118.list.dnswl.org.
timing: 0.016 . dns:A:45.135.176.118.bl.score.senderscore.com.
timing: 0.206 . dns:A:45.135.176.118.psbl.surriel.com.
timing: 0.996 . dns:A:45.135.176.118.dnsbl.sorbs.net.
timing: 1.001 . dns:TXT:45.135.176.118.bl.spamcop.net.
timing: 1.003 . dns:A:45.135.176.118.bb.barracudacentral.org.
timing: 1.003 . dns:TXT:45.135.176.118.sa-trusted.bondedsender.org.
timing: 1.009 . dns:A:45.135.176.118.zen.spamhaus.org.

After running pdns-recursor for about 5 minutes here are some statistics.

root@mxfilter:~# rec_control get-all
all-outqueries  116
dlg-only-drops  0
dont-outqueries 0
outgoing-timeouts       0
tcp-outqueries  4
throttled-out   0
throttled-outqueries    0
unreachables    0
answers-slow    0
answers0-1      0
answers1-10     0
answers10-100   1
answers100-1000 24
case-mismatches 0
chain-resends   0
client-parse-errors     0
edns-ping-matches       0
edns-ping-mismatches    0
ipv6-outqueries 0
no-packet-error 0
noedns-outqueries       120
noerror-answers 15
noping-outqueries       0
nsset-invalidations     0
nxdomain-answers        18
over-capacity-drops     0
qa-latency      893
questions       33
resource-limits 0
server-parse-errors     0
servfail-answers        0
spoof-prevents  0
tcp-client-overflow     0
tcp-questions   0
unauthorized-tcp        0
unauthorized-udp        0
unexpected-packets      0
cache-entries   496
cache-hits      0
cache-misses    25
concurrent-queries      0
negcache-entries        10
nsspeeds-entries        369
packetcache-entries     24
packetcache-hits        8
packetcache-misses      25
sys-msec        36
tcp-clients     0
throttle-entries        0
uptime  462
user-msec       48

ldapsearch to get all SMTP email addresses

Cooked this up in a few minutes.  Should return all proxyAddress that are SMTP and all SMTP default addresses for all users not disabled in a specified Organizational Unit.

ldapsearch -x -h ldapserver.example.com -b ou=Users,ou=example,dc=example,dc=com -D exampleldapadmin -w s3cr3t '(& (objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))' | grep -i ^mail|^proxyAddresses: SMTP: | grep -v mailNickname | sed 's/mail: //' | sed -e 's/proxyAddresses: SMTP://gI' | sed 's!$! OK!' | uniq >> $VALID

Automate Telnet Login in BASH

This method will basically automate telnet login and run a command on a router. It doesn’t use TELNET, it uses ncat. The alternative to this approach would be to use the expect command and create a script.

The following command connects to a router via port 23 (telnet port) and issues a sh clock command.

printf "username
password
sh clock
exit
" | ncat 192.168.10.1 23
root@xyzzy:~# printf "admin
s3cr3t
sh clock
exit
" | ncat 192.168.10.1 23
▒▒▒▒▒▒▒▒
User Access Verification

Username: admin
Password:

cisco#sh clock
12:17:54.924 EDT Mon Jun 2 2014
cisco#exit

Note: I haven’t figured out a method to put a delay before the exit command. So if you have a slow link or you’re requesting a lot of information, like a sh run, it’ll bomb out early.