Linux Tutorial – Part 4

By: Solutions Are Obvious

After you’ve logged in as the user you created at install time, you’re presented with the default GUI desktop. None of what follows is required. It’s all optional and supplied for those that want a bit more understanding of how things work, why things work as they do, plus how and why some modifications make sense. Consider it tips and techniques. Consider it random musings.

There’s going to be some command line data entry activity, so just do a copy paste for most of it. Every so often what I show is an example and you’ll use your specific information instead. That, you’ll just have to key manually.

Resolve nuisance things

If you don’t have a WiFi connection, hit the down arrow in the upper right corner and then the lower left tools circular icon to bring up the Setting app. Inside the WiFi settings you’ll see the visible networks.

To configure a hidden network, hit the 3 lines icon in it’s title bar and fill in the necessary information. If that network isn’t supported by a DHCP server, then the connection will fail because it can’t obtain an IP address. Hit the gears icon once it appears and fill in the static information manually.

While in the Settings app, snoop around to see what else you’d like to set.

I set :

Background = Black

Privacy / Screen Lock = Off

Privacy Connectivity Checking = Off, but that’s because I don’t use WiFi.

Network / Wired = On, and I use all static IP addresses because I don’t want a DHCP service running.

Details / Date & Time / Automatic Time Zone = On

Details / Date & Time / Time Format = Am/Pm

The Detail / Users allows you to add users to the box with their own home area if you Unlock via the title bar. Now would be a good time to add users if needed.

Note that the Detail page is where the default application definitions are available.

Make the root user secure

Most things take root privilege to perform, so lets fix up root’s identity to make it more usable and secure.

Start a terminal session: CTRL-ALT-T

Think of a good password; something no one is likely to guess and certainly not something you’ve used before, and even more certainly not the same as your user password.

Execute: sudo -i

Execute: passwd root

Supply the root password you’ve decided upon as requested.

If all went well, root now has a password you know and the sudo -i no longer works without a password. You’ve secured your box from someone walking up to it, starting a terminal session and gaining root privilege by doing a sudo -i because they don’t know your password.

BTW – sudo -i will request your password, not the root password, to authorize supervisor privilege. That’s because you’re a member of the adm group and you’re the logged in current user. To show the difference, lets kill this session and start a new one.

Execute: exit

Execute: exit

Start a terminal session with the three finger salute as shown previously.

Execute: su –

Now, enter the root users password to gain access. Your personal password won’t work.

You now have root privilege same as before. The difference is that anyone can execute an su – if they know the root password. If you need to work on someone else’s box while they’re logged in, you can use su – to get supervisory without knowing their personal password to allow sudu – to work.

Execute: exit

Execute: exit

Get current patches

What’s installed may be old. Lets get the most recent patches. This is a one time only manual effort as I’ll eventually supply a proper script to do this with a few keystrokes.

If the ‘Software Updater’ pops up asking permission to patch the system, it’s your call to let it do it or to proceed with what’s below. The Software Updater fails on occasion. All I use it for is to let me know patches exist.

Execute: sudo bash -c – ‘declare rc=1; while [ $rc -ne 0 ]; do apt update; rc=$?; done‘

When that’s done,

Execute: sudo bash -c – ‘declare rc=1; while [ $rc -ne 0 ]; do apt –y upgrade; rc=$?; done‘

When that’s finished, you have the most recent software available.

What that code says is, loop the apt command till it reports no error. If you see 403 Forbidden errors flash by, that’s why we’re looping to get what was missed while on the next pass. The reason I don’t allow the ‘Software Updater’ to do this is because it sometimes fails to complete an update / upgrade. These loops always work.

The Host Name

If all you have is one box, you can skip this.

If you have multiple boxes and never refer to one box from the other, you can skip this.

No one wants to refer to boxes by their IP address; names are much more convenient. The file /etc/hostname currently contains an ‘unqualified’ host name, the one you supplied at install time. The FQDN (Fully Qualified Domain Name) version is preferred, so let’s change it.

I have several Internet domains registered and I name the boxes so they have a relationship to a particular domain they’re associated with. All of my boxes are behind at least one firewall and for those private side boxes I create private side FQDN’s; I make them up. If my registered domain were xyz.com, then a particular box might be ‘bill.private.xyz‘ because it’s behind a firewall on the private side in support of the xyz domain.

If you’re on a private network, you can pretty much name it whatever you want. The ‘private’ and the ‘xyz’ have no real utility to the box itself. The name is for your benefit; the box doesn’t care.

If you have no registered domains, I suggest you extend the unqualified hostname you supplied at install time with the made up ‘private.whateveryourlastnameis’. So, for the Rogers family configuring the jimmy box jimmy.private.rogers should be the contents of the /etc/hostname file.

To see the current contents of the /etc/hostname file,

execute: cat /etc/hostname

That’s to double check what name you supplied in case you don’t remember, and in this example it should say jimmy .

To change its contents to the suggested example for the Rogers family,

execute: sudo bash -c – ‘echo jimmy.private.rogers > /etc/hostname‘

Another display of the hostname file will show the new FQDN.

The hosts file

If you skipped the previous section, you can also skip this.

The Internet runs with reference to DNS (Domain Name Service). DNS converts the names your familiar with (amazon.com) to some IP address too difficult to remember. Your local private network can have a similar name to box facility via the /etc/hosts file.

A private network should have an /etc/hosts file that is identical on every box. What the file contains is a simple name to IP address mapping for every box.

Execute: cat /etc/hosts

What’s displayed is the default information the install created. For every box on your private network, regardless of operating system, there should be an entry in the hosts file and that entry should contain it associated actual IP address.

To find the IP address for the box,

Execute: ip addr | grep inet

Ignore the ‘loopback’ addresses 127.0.0.1 and it’s IPV6 equivalent ::1.

If you’re on an IP version 4 network, look for the line containing a version 4 address. That would be all the digits and periods preceding the first ‘/’ per that line. e.g. 192.168.35.62

For an IP version 6 network, it’s all the characters, digits and colons preceding the first ‘/’ per that line.

Typical lines in the hosts file for a few boxes look like this:

192.168.35.62 jimmy.private.rogers jimmy

192.168.35.183 mary.private.rogers mary

192.168.35.22 larry.private.rogers larry

Sequence doesn’t matter and the number of spaces between columns doesn’t matter. I just like to line things up to make reading easier when I look at the file periodically.

To edit the /etc/hosts file requires root privilege, so

Execute: gedit admin:///etc/hosts

Make additions for all your boxes at the bottom of the file and save.

Then copy that file to all your Linux boxes. How to do that will come later.

BTW – never make changes to system files with a word processing app. Always use an editor.

BTW – this is specifying the admin:// protocol to use because root access is required to modify the file.

Get some stuff

I prefer operating with the Gnome desktop because it offers more flexibility. I always start an SSH server because I maintain lots of boxes and I don’t want to be running around physically (sneaker net) from box to box. I prefer gaining remote access to a box and doing things from my personal box. I also install firewall software on all boxes just in case I need it.

Execute: sudo apt install -y ubuntu-gnome-desktop openssh-server firewall-config

This isn’t in a loop. so if you see a 403 error, just run it again and again until you see no errors and get a long string of #### signs running across the bottom of the screen to indicate the install is in process.

Lets reboot the box to activate all the patches and show how to get at the just installed Gnome desktop.

Execute: reboot

When the box comes back up, hit enter on the login id but make note of the gear icon below the password entry line. You can pick the GNOME flavor of desktop to try it out, then enter the password and continue. That will be the default going forward till you explicitly change it.

Gnome functions a bit differently. Hitting the upper left corner with the mouse pointer provides a hint on what’s new. The routinely accessed icons appear down the left side (Favorites) and the right side shows alternate workspaces are available. All of this is configurable. The top has a search window that will find apps or files/folders. A bit of further configuring will make this even better.

The many workspaces provide for having lots of apps active but not cluttering any one workspace. If you open an app on a workspace you can drag it to another workspace to get it out of your way or to concentrate on it. The default number of workspaces is 4 and their appearance is dynamic.

Sometimes its convenient to have one app positioned on top of another app to take information from the top and copy or enter it on the bottom app. By right clicking the title bar of an app, many times its possible to force it to be ‘Always on Top’. When doing data entry on the below app, the shrunken top app remains visible. This may not sink in by just reading this but just remember that its possible to force an app to always remain visible on top. As you work, you’ll discover a use for this knowledge.

If you mouse to the upper right corner and click you’ll see a drop down quite similar to the previous default. The standard shutdown / reboot / logout / etc is there along with a volume control and for laptops a brightness control for certain hardware. The settings button brings up the same options as before.

Both the SSH and firewalld servers should be running.

Execute: systemctl status sshd

Execute: systemctl status firewalld

Use arrow keys to view what might be cut off and the ‘q’ key to quit. Neither is completely configured.

For SSH to allow root access with a password,

Execute: sudo perl -pi -e ‘s/#PermitRoot/PermitRoot/’ /etc/ssh/sshd_config

Execute: sudo perl -pi -e ‘s/prohibit-password/yes/’ /etc/ssh/sshd_config

Execute: systemctl restart sshd

Now that SSH is set up to allow root access using passwords, this box can access another box on the network similarly set up to become any existing user, including root, on that distant box. It’s also possible to send files from one box to the other specifically.

If I’m the bill user on my box but want to become the root user on jimmy’s box all I have to do is

Execute: ssh root@jimmy

This is making use of the hosts file to provide the name to IP address translation.

To send the previously altered /etc/hosts file from one box to another box one might

Execute: scp /etc/hosts root@mary:/etc

The mary box could be in a completely different part of the building or with a slight modification could be in Timbuktu. Same for the ssh.

BTW – the reason this works without having root privilege is because the hosts file is readable by the average user. The command will ask for the root password for the mary box. Some additional setup for SSH can eliminate all password activity once ‘keys’ are generated and exchanged between trusted partners. An advanced topic.

If you intend to have several boxes up, it’s a good idea to configure one box with two or possibly more (rare) Ethernet adapters. One NIC (Network Interface Card) will become your public NIC and the other one or more will be on the private side(s). Firewall software will define what traffic types are allowable on what NICs. Such a box should typically not be used by a person. It should be used to host Internet and a few other services that are automated and strictly controlled. People can’t be classified as strictly controlled. BTW – a wireless NIC is still a NIC.

I normally don’t do wireless for security and other reasons. The wireless world offers options that complicate what’s possible and what to do given a particular set of circumstances. For example, an ISP’s wireless Internet gadget may offer or force a proxy server environment. It may offer or force a BS firewall option that you have no idea how good it is or what it’s doing and not doing.

Typically I ask for a wired connection that’s a clear pipe and I’m willing to pay for it. I don’t want the ISP filtering my traffic which then lets me do outbound SSH, FTP, SMTP, and other protocols if necessary. The average user probably won’t need that.

A digression to explain how a firewall works conceptually.

X number of boxes on the private side communicate with each other over (the / a) private Ethernet. None of that traffic bleeds across to the public side. Now a private box requests a public resource like when browsing to some web site. The private Ethernet packets are routed to the public NIC with the firewall software in control. Typically firewall rules say that the private side can initiate all manner of outbound traffic and the firewall allows the route to take place. The IP address of the private packets are translated (masqueraded) to become the public IP address of the firewall. That stream of now public packets is sent out.

The returning packets to satisfy the request arrive at the Public NIC. Firewall and routing rules convert the public NIC’s address back to the private NIC’s address as part of the allowable routing process. The now private packets light up the users browser. The remote web site sees one public Ethernet address for all the internal boxes. That’s the Readers Digest version and I’m taking some liberties with the absolute truth.

When viewed in the reverse direction such as a hack that initiates traffic inbound to the public NIC, the mechanism is different. First, the inbound traffic has no idea there is a private side and no idea how many boxes that comprises or their internal IP addresses. The hacker sees the public NIC only. The inbound traffic is checked by the firewall rules and a determination is made to allow or deny the traffic. Some trivial unsolicited inbound traffic is usually allowed, such as a ping request as that’s considered being courteous and has actual benefits. Any traffic not expected is simply denied with the packets trashed.

If the firewall box also happens to host an advertised service like an email server or web server, for example, the appropriate inbound traffic to those services is allowed. Those services are usually configured to only ‘listen’ on the public NIC and they won’t accept packets of the wrong type even if on the Ethernet.

The first rule on the public side is deny all. Then exceptions are written (holes are drilled in the firewall) to allow what’s reasonable. Any malicious packets typical of a hack are trashed at the public NIC. Logs are available to provide a forensic capability. If some IP or range of IP’s is constantly hammering the public NIC, firewall rules can make the public NIC disappear to all traffic from those IP’s. If it appears via the email server logs that spam is initiating from certain sending IP’s, those IP’s can be blocked from seeing the email server and hence the email server no longer sees the spam. Rules can be written to make whole countries or continents denied access.

More than one private Ethernet is sometimes used when one group inside an organization wants to be isolated from the other group(s). Firewall rules can provide private to private checks no different than the private public case. Sometimes resources are segregated to a private Ethernet for the specific use of only some users; printer and high end plotters as an example. Once the mechanism is understood only the imagination limits how the tech is to be applied.

BTW – a firewall can be some tired old box, as all it’s really doing is routing traffic according to rules. Just give it at least two NICs. If it has to also host a web site and do other more strenuous duty, then testing should reveal if any particular box has enough processing power.

If your motherboard only has one NIC, you can purchase an add in board for a few dollars assuming there’s slot space to insert it. Alternatively, it is possible to purchase a NIC that plugs into a USB port that everyone has a boat load of. Some motherboards come with dual NICs expressly for firewall duty. Single add in boards with 4 or more NICS are available for enterprise environments.

When a box only has one NIC, the firewall can be set up for certain tasks, but that’s the type of arrangement for a typical user station. The user will ask to drill numerous holes in the firewall to allow the user to function conveniently rendering the firewall essentially as clear as glass to traffic. It’s usually not worth the effort.

Writing the rule sets (firewall-config) for a firewall has to be done knowing explicitly what to allow and what to deny on a case by case basis. With only a single NIC available, I usually stop and then disable the firewall so it won’t restart on the next boot up. The software is there just in case.

Execute sudo systemctl stop firewalld

Execute: sudo systemctl disable firewalld

Once a firewall is setup, it needs to be tested by a penetration tool like nmap or Wireshark from the public side of the box. That usually means outside your facility as most ISP’s don’t offer a way to get at a second public IP on their offering.

Additional software to install

There are a few utilities that I think should be on every box to make the environment more usable. I’ll be using a few shortly. This one time install is not in a loop, so pay attention if there’s a 403 error. Watch for ‘#######’ to show the installs are in progress. Run it till it succeeds.

Execute: sudu apt -y install gnome-system-monitor gnome-calculator sendmail gnome-tweak-tool dconf-editor smartmontools xsensors hdparm gsmartcontrol tree

Then there are some debugging tools that come in handy when things go wrong, but these are definitely for techies. I’m not going to explain anything about them. Don’t install them unless you investigate them and discover you need them.

Execute: sudo apt -y install traceroute gnupg2 unrar nmap

Lastly, some nice completely optional tools for specific purposes you may want to investigate.

Execute: sudu apt -y install obs-studio gimp vlc

If you want the Chrome browser, get it directly from the Google web site as the one available via standard Linux repositories won’t run Netflix or Amazon movies. My wife discovered this and declared it a catastrophe when I installed the repo version on her box.

More one time configuration

These are suggestions. I’m presenting these apps to show where some of the control points are. Snoop around to find things that may interest you.

In the search bar request the dconf Editor. The first few characters should find it.

@ org.gtk.settings.file-chooser.sort-directories-first=On

@ org.gtk.settings.file-chooser.clock-format=12h

In the search bar request the Tweaks tool.

@ Desktop.Show Icons=On

@ Desktop.Home=Off

@ Startup Applications Add in whatever you want to auto start

@ Top Bar.Date=On

@ Top Bar.Seconds=On

@ Workspaces You can control how many workspaces (desktops) maximally appear on the right.

Bring up a terminal.

In the very top left of the screen you’ll see the control for the terminal. Set Preferences / Unnamed to anything you want. I usually set the columns to be near maximum screen width and rows to half screen height.

Mouse to the top left corner to see the default apps in the left side ‘Favorites’. Right click to delete the ones you don’t want. Use the center top search box to find an app or use the ‘Show Applications’ icon (9 dots) in Favorites and right click an app to add it to Favorites. Drag any icon to reposition it in the Favorites area.

Note the ‘Software’ app available via the ‘Show Applications’ icon. This will allow you to find and install hundreds of apps. To know what’s already installed, click the top center ‘Installed’ button. You can remove installed apps from there. Snoop around the various categories to get a feel for what’s available officially.

The Software apps ‘Add-ons’ category has other tools that I usually install. Click Add-ons / Shell Extensions. Locate and install ‘Freon’, ‘Change PC Brightness’, ‘Applications Menu’ and ‘User Themes’. Note that anything you install usually has a setting option to configure the tool and also a Remove button to get rid of it. The top of the screen now has some new controls. Clicking the top left ‘Applications’ now has a drop down that makes access to apps easier.

In Favorites bring up the Files app (real name Nautilus). Click the 3 horizontal lines icon and then set the percentage to something more reasonable like 50% by using the adjacent up and down arrows. That changes the size of icons on the Desktop also.

I usually start sendmail just so the box can forward important O/S messages to my email address for my attention. All my boxes have me as the person to notify if there’s an issue, so every box gets the following done to it.

If my email address were ‘[email protected]‘, then the following commands would set up email properly. Just use your email address instead.

Execute: sudo bash -c – ‘echo root: [email protected] >/etc/aliases’

Execute: sudo newaliases

Execute: sudu systemctl restart sendmail

Modern hard drives have an onboard diagnostics and recording capability that can be interrogated by software. The smartd tool monitors the ‘Self-Monitoring, Analysis and Reporting Technology (SMART)’ system on a drive. The /etc/smartd.conf file controls the smartd tool.

As delivered, smartd will do nothing. To tell it to monitor every smart capable drive,

Execute: sudo bash -c – ‘echo DEVICESCAN -a >>/etc/smartd.conf‘

Execute: sudo systemctl restart smartd

This provides a default monitoring mechanism. Explicit monitoring and reporting can also be requested, including active periodic testing of drives by providing additional commands in the /etc/smartd.conf control file.

Unbeknownst to many Linux users, there are terminal sessions available for login completely independent of the primary screen. To see these text only screens waiting for a login, simultaneously hit any of these combinations CTRL-ALT-F3, CTRL-ALT-F4, CTRL-ALT-F5 or CTRL-ALT-F6, with F3 through F6 being the function keys.

You can login on any of these screens as any user on the box. A typical use for these screens is to login on one of them as the root user to do some command line maintenance while a regular user is logged into the normal GUI screen. To return to the GUI screen simultaneously hit ALT-F2.

How to create a script

Scripting is a powerful tool in the Linux environment. The most popular languages are BASH and Python. As promised, below is a small BASH script to get all available patches by looping the necessary commands till there are no errors reported. This is peculiar to Ubuntu as its one of their servers that’s the cause of the 403 errors.

Execute: sudo touch /usr/local/sbin/aptUpdateUpgrade

Execute: gedit admin:///usr/local/sbin/aptUpdateUpgrade

Then copy the code below into the editor and save the file.

#!/bin/bash

returnCode=1

while [ ${returnCode} -ne 0 ]; do

apt update

returnCode=$?

echo ${returnCode}

done

returnCode=1

while [ ${returnCode} -ne 0 ]; do

apt -y upgrade

returnCode=$?

echo ${returnCode}

done

Execute: sudo chmod 700 /ust/local/sbin/aptUpdateUpgrade

This makes the script executable only by root.

Any time you want to get the latest patches run that script.

Execute: sudo aptUpdateUpgrade

The End

Click to visit the TBP Store for Great TBP Merchandise

Author: Glock-N-Load

Simply a concerned, freedom loving American. View all posts by Glock-N-Load