Information Technology Notes

Monday, July 26, 2021

Microsoft Windows Core Memory Integrity

Microsoft Windows 10 memory integrity, or "core isolation", uses hardware virtualization to protect memory used by Windows system processes from manipulation (often by malware). This is generally a good security feature to enable, though it may interfere with older device drivers. This option is not automatically turned on by some vendors, so you will need to check this yourself.

Read about Microsoft's Core Isolation.

A recently purchased MS Windows 10 chromebook from Dell had this option turned off, so Core Integrity should be checked even on factory-delivered machines. The Dell chromebook was runing the Windows version known as "Windows 10 Home in S mode".

For any Windows 10, check if Windows is running with virtualization by looking in Task Manager. Press Start button, and type: task manager
Choose the Task Manager app.

In Task Manager, click the Performance tab, then CPU. Look in the lower right for Virtualization. In the following picture of Task Manager, hardware virtualization is enabled. Alternatively, open a command prompt, run systeminfo, and look for the Hyper-V line.

If Virtualization is not enabled, reboot the machine and press a key for BIOS setup (often a function key or the DEL key). In the BIOS setup utility, look for virtualization or "VT" and turn it on. Save the BIOS settings and restart the machine. Here are a couple different BIOS pictures:

After rebooting and starting Windows, go to the Settings app (press the Start button, press the gear icon). In the Settings app, type: core isolation

Pressing Core Isolation will open Windows Security, Device Security, and Core Isolation Details.

If you do not see Memory Integrity on the Core Isolation page, you will need to restart the computer and enter the BIOS settings to turn on virtualization options.

If Memory Integrity is already turned on, your machine is configured to use core memory integrity and your are done.

If Memory Integrity is off, try to turn it on. In some cases it will turn on easily. In other cases it will want a reboot. In more challenging cases it will find incompatible drivers and you can decide how to correct each driver.

For the following procedures, you will need to be the computer Administrator.

It may take a restart to fully set Core Isolation to on. If it finds incompatible drivers, press the Review link.

Some incompatible drivers must be completely removed. In one case, I encountered an incompatible Realtek sound driver that I removed, rebooted, turned on Memory Integrity, and then was able to reinstall the same sound driver while successfully keeping Memory Integrity turned on.

In this example, the Realtek sound driver and the ViMicro web cam drivers are incompatible. To remove these drivers, look in device manager and uninstall the drivers. As computer Administrator, press Start button and type: device manager
Look around in Device Manager for the yellow flags, and try to update or uninstall the device and delete the driver software. In this case, the old driver "oem3.inf" could not be removed through Device Manager.

The driver was able to be removed from the command line as Administrator: pnputil /delete-driver oem3.inf

If a driver will not uninstall, you can also remove it by hand (or rename it). Look in folder C:\Windows\System32\drivers.

When done resolving incompatible drivers, the Memory Integrity setting in Windows Security Center should look like this.

When finished, you may want to create a restore point. Press the Start button and type: restore point
Configure and Create the new restore point.

You should now check for corrupt Windows files. This will run the Windows Module Installer and verify and correct the Windows software.

Monday, July 19, 2021

Ubuntu logon info and message of the day (motd)

This post will show you how to determine your public-facing IP address from the command line.

Upon an interactive logon, Ubuntu prints some brief machine information. This includes a header, sysinfo from /usr/bin/landscape-sysinfo and a summary of available patches.

You may add your own scripts by creating a bash script in /etc/update-motd.d and set the execute permission on the file. The files in the directory have a particular naming convention, and are run in alphabetical (numeric) order.

On external facing machines, I often create a script which will print the external IP address following the networking info of the landscape-sysinfo script.

Create file /etc/update-motd.d/61-external-ip owned by root
and give it execute permission:
sudo chmod 755 /etc/update-motd.d/61-external-ip

Place the following in this new file:
#!/bin/sh

ONE=$(/usr/bin/curl -s checkip.amazonaws.com)
TWO=$(/usr/bin/curl -s ifconfig.me)

if [ $ONE = $TWO ]
then
    printf " External IPv4: "
    printf $ONE
else
    printf " External IPv4 may be: "
    printf $ONE
    printf " or"
    printf $TWO
fi
printf "\n"

Save the file, then logon to the machine and look at the interactive logon messages. Some of the output will look like:

Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

System information as of Mon 19 Jul 2021 01:30:42 PM MDT

System load:              0.58
Usage of /:               5.4% of 1.79TB
Memory usage:             15%
Swap usage:               0%
Temperature:              44.0 C
Processes:                173
Users logged in:          1
IPv4 address for enp0s25: 192.168.0.9
External IPv4: 123.456.7.89

Friday, July 02, 2021

Fix Corrupt Microsoft Windows Files

Anyone who suspects they have corrupt Microsoft Windows system files (possibly from virus or malware) may try the built-in tools before re-installing the operating system. If you suspect Microsoft Windows Update is not running correctly, you may also try to repair it.

This Microsoft document describes file system checker tool with DISM and SFC. The following examples are for Microsoft Windows 10.

Open a command prompt with elevated privileges:

Press Start button

Type: cmd

Right-click on "Command Prompt" and choose "Run as administrator"

Set up the operating system deployment image. In the command prompt window, type:

DISM.exe /Online /Cleanup-image /Restorehealth

It will look like:

C:\WINDOWS\system32>DISM.exe /Online /Cleanup-image /Restorehealth

Deployment Image Servicing and Management tool
Version: 10.0.19041.844

Image Version: 10.0.19042.985

[==========================100.0%==========================]
The restore operation completed successfully.
The operation completed successfully.

If after running DISM, you experience glitches or quirks in MS Windows, try running this file system checker command. It may take hours to run.

sfc /scannow

If problems are found, it will look like:

C:\WINDOWS\system32>sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files and successfully repaired them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.

Note the location of the log, which you may review.

Next, you may want to check that Microsoft Windows Update is running.

Run the troubleshooter which may be found in the old Control Panel.

Press Start button and type: control panel

Click on the Control Panel app to run it.

In the Control Panel app, top right search box, type: update

Click on Troubleshooting

Press Next to run the troubleshooter and then follow the prompts.

Sunday, June 20, 2021

GSM data security in GPRS 2G

Mobile carriers have been phasing out older mobile technologies and frequencies. This makes older service using GPRS 2G less prevalent. One form of attack is to purposefully force downgrade to the older 2G service, which has weaknesses. This paper of June 2021, Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2, describes how the 64 bit security is effectively only 40 bit. The authors speculate the standard was purposefully weakened.

There is no practical reason to allow modern phones to use 2G service, so users should disable this service. Android users can typically look in settings to turn off 2G service.

This leads to the obvious question of what vulnerabilities may exist in the newer 4G and 5G standards. Many people are beginning to use apps such as Signal which runs it's own security on top of whatever communications are being used (4G, 5G, or wifi).

While you are in Android settings, you may want to review the Google setting which allows for silent install of movement tracking applications. It is not clear if setting "COVID-19 Exposure Notifications" to off prevents silent install of the tracking apps, or if it allows the download but does not make the app visible to the user. Completely disabling installs will likely require stopping of Google Play Services.

Thursday, February 11, 2021

MS Windows 10 Border Width

Microsoft made super-skinny border widths on Windows 10. While there has been a couple years for this design mistake to be corrected, it appears this will not be changing in the pending release of Window 11.
It is well past a reasonable amount of time for Microsoft to fix the super-skinny window borders.

The skinny window borders make it challenging to place and align windows. It also makes it challenging for older or disabled persons to grab the side of the window.

The straight-forward method to have fat window borders is to turn on the high visibility theme. This will produce drastic visual changes, make websites look different than what you may expect, and remove backgrounds such as desktop color or picture. You may want to try this change and then decide if fat window borders are worth the other visual changes in the theme.

Standard MS Windows 10 borders look like this.

Press the Start button and type: themes

Choose the app for "Themes and related settings".

In the Settings window, scroll down and click on "High contrast settings".

Turn on the high contrast slider, then choose theme "High Contrast White" in the drop down list box.

While visually jarring at first, the High Contrast White theme does increase the window border width.

Thursday, July 16, 2020

Tweak Windows 10 Privacy Settings With Spydish

Grab a copy of Spydish and tweak your Microsoft Windows 10 privacy settings. Take control of your PC.

Wednesday, June 17, 2020

Linking Microsoft Access and DBeaver To Postgres

If your desktop is Microsoft Windows, you may have Microsoft Access already installed. With an ODBC driver, you can link it to Postrgresql running on Linux.

To download the latest ODBC driver, go to https://www.postgresql.org/ftp/odbc/versions/ and choose "msi". Choose the most recent version for your Windows machine. If you don't know if your desktop is AMD or Intel, press the Windows Start button and type Settings. Click on Settings. In the windows that opens, click on Settings --> About. Look at the "Processor" line.

Download the zip file from https://www.postgresql.org/ftp/odbc/versions/msi to your PC.
Unzip or "Extract all" on the file. In this example, the file name is psqlodbc_12_02_0000-x86.

In the new folder, run the psqlodbc file. If Windows intercepts the install, press "More info" and click the button to "Run anyway".

The psqlODBC Setup Wizard should run.

Press the Microsoft Windows Start button and type: ODBC
Choose program "ODBC Data Sources".

Choose Add, then chose Postgresql and press button Finish. Set it up, press button Test, and save it.

In Microsoft Access, create a new blank database.

After creating the database, go to External Data and press New Data Source, From Other Sources, ODBC Database.

Link to the data source.

In the Machine Data Source tab, pick the connection that had just been set up.

Select the tables and press OK.

The table names will be on the left of Microsoft Access. Double-click to open the table data.

Another database management tool is DBeaver. An open source version is available here.
Ubuntu users may install the snap (sudo snap install dbeaver-ce). Microsoft Windows users may install from the Windows Store.

Saturday, June 13, 2020

Install PostgreSQL on Ubuntu 20.04

Let's install a recent version of Postgresql on Ubuntu 20.04. You will need a unix account with sudo privilege. At the end of this post we will do some introductory database commands.

Get familiar with the Linux install:
$ uname -a
Linux d990 5.4.0-37-generic #41-Ubuntu SMP Wed Jun 3 18:57:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:        20.04
Codename:       focal

$ df -k
Filesystem      1K-blocks     Used Available Use% Mounted on
udev              8093132        0    8093132   0% /dev
tmpfs             1627360     1260    1626100   1% /run
/dev/sda2      1921800384 30477352 1793631080   2% /
tmpfs             8136796        0    8136796   0% /dev/shm
tmpfs                5120        0       5120   0% /run/lock
tmpfs             8136796        0    8136796   0% /sys/fs/cgroup
/dev/loop0         160000   160000          0 100% /snap/chromium/1165
/dev/loop2          56320    56320          0 100% /snap/core18/1754
/dev/loop3          63616    63616          0 100% /snap/gtk-common-themes/1506
/dev/loop1          56320    56320          0 100% /snap/core18/1705
/dev/loop7          27776    27776          0 100% /snap/snapd/7264
/dev/loop6          71040    71040          0 100% /snap/lxd/15457
/dev/loop4         160000   160000          0 100% /snap/chromium/1182
/dev/loop5          31104    31104          0 100% /snap/snapd/7777
/dev/loop8          71040    71040          0 100% /snap/lxd/15359
tmpfs             1627356        8    1627348   1% /run/user/1004

Update Ubuntu Linux:
$ sudo apt-get update
$ sudo apt-get upgrade

Read these instructions to set up apt to get the recent Postgresql release. Simply follow-along with the instructions from the link.

# Create the file repository configuration:
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'

# Import the repository signing key:
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -

# Update the package lists:
sudo apt-get update

# Install the latest version of PostgreSQL.
# If you want a specific version, use 'postgresql-12' or similar instead of 'postgresql':
sudo apt-get install postgresql

The command "install postgresql" will run for a minute or two. It should end with:

Success. You can now start the database server using:
pg_ctlcluster 12 main start

Look at the new unix account "postgres". Note it does have a password to log in to unix:
$ cat /etc/group|tail -1
postgres:x:118:
$ cat /etc/passwd|tail -1
postgres:x:112:118:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

$ sudo grep postgres /etc/shadow
postgres:*:18427:0:99999:7:::

Look at what is running:
$ ps -fu postgres
UID          PID    PPID C STIME TTY          TIME CMD
postgres 148055       1 0 21:06 ?        00:00:00 /usr/lib/postgresql/12/bin/postgres -D /var/lib/po
postgres 148060 148055 0 21:06 ?        00:00:00 postgres: 12/main: checkpointer
postgres 148061 148055 0 21:06 ?        00:00:00 postgres: 12/main: background writer
postgres 148062 148055 0 21:06 ?        00:00:00 postgres: 12/main: walwriter
postgres 148063 148055 0 21:06 ?        00:00:00 postgres: 12/main: autovacuum launcher
postgres 148064 148055 0 21:06 ?        00:00:00 postgres: 12/main: stats collector
postgres 148065 148055 0 21:06 ?        00:00:00 postgres: 12/main: logical replication launcher
postgres 149432 149431 0 21:16 pts/1    00:00:00 -bash

Check the service manager to see if the database startup is automated:
$ systemctl status postgresql
● postgresql.service - PostgreSQL RDBMS
     Loaded: loaded (/lib/systemd/system/postgresql.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sat 2020-06-13 21:06:29 MDT; 14h ago
   Main PID: 147715 (code=exited, status=0/SUCCESS)
      Tasks: 0 (limit: 18968)
     Memory: 0B
     CGroup: /system.slice/postgresql.service

To allow connections from outside the machine, edit the postgresql.conf file and add a line for listen_addresses. Then restart postgresql.
$ grep listen /etc/postgresql/12/main/postgresql.conf
listen_addresses = '*'
You may also need to edit pg_hba.conf, to allow connections from outside the machine.

Software versions:
$ psql -V
psql (PostgreSQL) 12.3 (Ubuntu 12.3-1.pgdg20.04+1)

Let's create a database, list the databases, create a table with a couple rows, and select from the table. From unix command-line, connect via psql:
$ psql
psql (12.3 (Ubuntu 12.3-1.pgdg20.04+1))
Type "help" for help.

postgres=# create database datadb;
CREATE DATABASE
postgres=# \l
                                  List of databases
   Name    | Owner   | Encoding |   Collate   |    Ctype    |   Access privileges
-----------+----------+----------+-------------+-------------+-----------------------
datadb    | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
postgres | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
template0 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
           |          |          |             |             | postgres=CTc/postgres
template1 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
           |          |          |             |             | postgres=CTc/postgres
(4 rows)

postgres=# \c datadb
You are now connected to database "datadb" as user "postgres".
datadb=# create table testtable (columna text not null, columnb int not null);
CREATE TABLE
datadb=# insert into testtable values ('insertrowone', 1);
INSERT 0 1
datadb=# insert into testtable values ('insertrowtwo', 2);
INSERT 0 1
datadb=# select * from testtable;
   columna    | columnb
--------------+---------
insertrowone |       1
insertrowtwo |       2
(2 rows)

datadb=# \q

Sunday, May 10, 2020

Ubuntu Linux High CPU For Swap Process

What do you do if you just installed a fresh Ubuntu 20.04 server, and after installing some packages with "apt" you notice high CPU usage from the swap process?

If "top" shows kswapd0 persistently using high CPU, and "freemem -d" and swap are ok, you can try to adjust the swappiness in file sysctl.conf and reboot.
$ cat /proc/sys/vm/swappiness
60
$ sudo vi /etc/sysctl.conf
$ cat /etc/sysctl.conf | grep vm
vm.swappiness=10

Changing swappiness didn't fix this problem of high CPU usage. Let's dig deep.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:        20.04
Codename:       focal
install@d990 ~ $ uname -a
Linux d990 5.4.0-29-generic #33-Ubuntu SMP Wed Apr 29 14:32:27 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Look closely at "top" output.
$ top
top - 19:03:26 up 7 min, 3 users, load average: 3.09, 2.72, 1.44
Tasks: 132 total,   1 running, 131 sleeping,   0 stopped,   0 zombie
%Cpu(s): 76.3 us, 0.4 sy, 0.0 ni, 23.2 id, 0.1 wa, 0.0 hi, 0.0 si, 0.0 st
MiB Mem : 15892.2 total, 10206.3 free,   4412.8 used,   1273.1 buff/cache
MiB Swap:   4096.0 total,   4096.0 free,      0.0 used. 11199.7 avail Mem

    PID USER      PR NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND
   1071 kevin     20   0 2435108   2.3g   1480 S 300.0 14.7 20:50.80 kswapd0   1147 minec     20   0 7861400   1.9g 28544 S   6.6 11.9   1:54.40 java
      1 root      20   0 167604 11524   8368 S   0.0   0.1   0:00.98 systemd
      2 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kthreadd
      3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp
      4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par+
      6 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker+
      8 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 mm_perc+
      9 root      20   0       0      0      0 S   0.0   0.0   0:00.01 ksoftir+
     10 root      20   0       0      0      0 I   0.0   0.0   0:00.13 rcu_sch+
     11 root      rt   0       0      0      0 S   0.0   0.0   0:00.00 migrati+
     12 root     -51   0       0      0      0 S   0.0   0.0   0:00.00 idle_in+
     13 root      20   0       0      0      0 I   0.0   0.0   0:00.01 kworker+
     14 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/0
     15 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/1
     16 root     -51   0       0      0      0 S   0.0   0.0   0:00.00 idle_in+
     17 root      rt   0       0      0      0 S   0.0   0.0   0:00.14 migrati+

$ top -u kevin
top - 19:03:59 up 8 min, 3 users, load average: 3.05, 2.75, 1.49
Tasks: 132 total,   1 running, 131 sleeping,   0 stopped,   0 zombie
%Cpu(s): 76.3 us, 0.3 sy, 0.0 ni, 23.1 id, 0.3 wa, 0.0 hi, 0.0 si, 0.0 st
MiB Mem : 15892.2 total, 10205.5 free,   4413.5 used,   1273.2 buff/cache
MiB Swap:   4096.0 total,   4096.0 free,      0.0 used. 11199.0 avail Mem

    PID USER      PR NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND
   1071 kevin     20   0 2435108   2.3g   1480 S 300.3 14.7 22:28.66 kswapd0
   1015 kevin     20   0   14368   6760   2800 S   0.0   0.0   0:00.00 rsync

Why is kevin in charge of swap? Kevin has yet to log in to the system.
$ last kevin

wtmp begins Sat May 9 18:16:21 2020

$ groups kevin
kevin : kevin

$ sudo grep kevin /etc/sudoers

$ ps -fu kevin
UID          PID    PPID C STIME TTY          TIME CMD
kevin       1015       1 0 18:56 ?        00:00:00 rsync
kevin       1071       1 99 18:56 ?        00:11:53 ./kswapd0

We know kevin has not logged in, is only in his own group, and does not have sudo. This was the most recent account we created on the machine.
$ tail -1 /etc/passwd
kevin:x:1005:1004:,,,,novice tech learner:/home/kevin:/bin/bash

Comment out the entry in the passwd file.
$ tail -1 /etc/passwd
kevin:x:1005:1004:,,,,novice tech learner:/home/kevin:/bin/bash

$ sudo vi /etc/passwd

$ tail -1 /etc/passwd
#kevin:x:1005:1004:,,,,novice tech learner:/home/kevin:/bin/bash

Run top, and it won't know the "kevin" username for uid 1005. It is still consuming CPU.
$ top
top - 19:08:43 up 13 min, 3 users, load average: 3.13, 2.96, 1.92
Tasks: 130 total,   1 running, 129 sleeping,   0 stopped,   0 zombie
%Cpu(s): 76.2 us, 0.6 sy, 0.0 ni, 23.0 id, 0.3 wa, 0.0 hi, 0.0 si, 0.0 st
MiB Mem : 15892.2 total, 10198.5 free,   4413.8 used,   1279.9 buff/cache
MiB Swap:   4096.0 total,   4096.0 free,      0.0 used. 11198.6 avail Mem

    PID USER      PR NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND
   1071 1005      20   0 2435108   2.3g   1480 S 300.7 14.7 36:40.32 kswapd0
   1147 minec     20   0 7861400   1.9g 28544 S   6.7 11.9   2:14.81 java
    375 root      20   0       0      0      0 S   0.3   0.0   0:00.01 jbd2/sd+
      1 root      20   0 167604 11524   8368 S   0.0   0.1   0:01.00 systemd
      2 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kthreadd
      3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp
      4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par+
      6 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker+
      8 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 mm_perc+

With the passwd entry for kevin commented out, let's reboot and observe what happens.
$ sudo systemctl reboot

$ top
top - 19:14:04 up 1 min, 1 user, load average: 1.35, 0.61, 0.23
Tasks: 138 total,   1 running, 137 sleeping,   0 stopped,   0 zombie
%Cpu(s): 0.3 us, 0.4 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
MiB Mem : 15892.2 total, 12795.1 free,   1850.3 used,   1246.8 buff/cache
MiB Swap:   4096.0 total,   4096.0 free,      0.0 used. 13763.3 avail Mem

    PID USER      PR NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND
    898 minec     20   0 7861400   1.7g 28288 S   6.3 10.7   1:20.07 java
    156 root      20   0       0      0      0 I   0.3   0.0   0:00.16 kworker+
    443 root      19 -1 133560 61216 60108 S   0.3   0.4   0:00.61 systemd+
   1206 root      20   0   13416   8268   7096 S   0.3   0.1   0:00.01 sshd
   1207 sshd      20   0   12160   4616   3708 S   0.3   0.0   0:00.01 sshd
      1 root      20   0 167744 11508   8440 S   0.0   0.1   0:03.25 systemd
      2 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kthreadd
      3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp
      4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par+

Let's remove the kevin account properly. Uncomment the line in /etc/passwd and delete the account.
$ sudo vi /etc/passwd

$ sudo userdel -r kevin
$ grep kevin /etc/passwd
$ uptime
19:15:53 up 3 min, 1 user, load average: 0.21, 0.42, 0.20

Reboot and look for normal functioning.
$ sudo systemctl reboot

Install Ubuntu 20.04 Server

The server version of Ubuntu had previously been tuned for server-oriented workloads. This is reportedly no longer the case, so a primary difference between Ubuntu 20 server and desktop is that server lacks a graphical user interface.

Download an image from the Ubuntu releases page. Most everything is 64 bit. Note that "AMD" means it works on the AMD and Intel instruction sets. You can use the AMD64 image on a modern Intel CPU.

Burn the image to a DVD or other mountable storage. Boot the machine from the storage. This install will use hard-wired Ethernet and a static IP address. If you have a real (typically non-consumer internet service) domain name, use that as the "search domain".

This is a server install, so maybe you do not want "games" in your search path. Backup the "environment" file then remove the games directory from the search path.
$ sudo mv /etc/environment /etc/environment.orig
$ sudo vi /etc/environment
$ cat /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Modify the shell login files in your home directory.
$ cd ~
$ cp -p .bashrc .bashrc.orig
$ mv .profile .profile.orig
$ mv .bashrc .bash_profile

Remove colorization by setting TERM environment variable in .bash_profile.
$ echo $TERM
xterm-256color
$ export TERM=xterm-mono

Edit .bash_profile and put in a bit of color to the command prompt variable PS1.
$ grep 033 ~/.bash_profile
PS1='\[\033[01;32m\]\u@\h\[\033[00m\] \w \$ '

Put the present working directory at the end of the PATH variable. Add this to file .bash_profile.
export PATH=$PATH:.
Remove shell's suggestions for a mis-typed command. Add this to file .bash_profile.
unset command_not_found_handle

Then "source" the login files or simply log out and log in again.
$ ./.bash_profile

Get familiar with the install and the machine.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:        20.04
Codename:       focal

$ uname -a
Linux d990 5.4.0-26-generic #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

$ lspci
00:00.0 Host bridge: Intel Corporation 2nd Generation Core Processor Family DRAM Controller (rev 09)
00:02.0 VGA compatible controller: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller (rev 09)
00:16.0 Communication controller: Intel Corporation 6 Series/C200 Series Chipset Family MEI Controller #1 (rev 04)
00:16.3 Serial controller: Intel Corporation 6 Series/C200 Series Chipset Family KT Controller (rev 04)
00:19.0 Ethernet controller: Intel Corporation 82579LM Gigabit Network Connection (Lewisville) (rev 04)
00:1a.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #2 (rev 04)
00:1b.0 Audio device: Intel Corporation 6 Series/C200 Series Chipset Family High Definition Audio Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 1 (rev b4)
00:1c.2 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 3 (rev b4)
00:1d.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #1 (rev 04)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev a4)
00:1f.0 ISA bridge: Intel Corporation Q67 Express Chipset LPC Controller (rev 04)
00:1f.2 RAID bus controller: Intel Corporation SATA Controller [RAID mode] (rev 04)
00:1f.3 SMBus: Intel Corporation 6 Series/C200 Series Chipset Family SMBus Controller (rev 04)

$ df -k
Filesystem      1K-blocks    Used Available Use% Mounted on
udev              8093172       0    8093172   0% /dev
tmpfs             1627360    1204    1626156   1% /run
/dev/sda2      1921800384 9591096 1814517336   1% /
tmpfs             8136796       0    8136796   0% /dev/shm
tmpfs                5120       0       5120   0% /run/lock
tmpfs             8136796       0    8136796   0% /sys/fs/cgroup
/dev/loop0          27776   27776          0 100% /snap/snapd/7264
/dev/loop1          56320   56320          0 100% /snap/core18/1705
/dev/loop2          70656   70656          0 100% /snap/lxd/14804
tmpfs             1627356       0    1627356   0% /run/user/1000

Familiarize yourself with the network configuration.
$ ls -l /etc/netplan
total 4
-rw-r--r-- 1 root root 280 May 10 00:03 00-installer-config.yaml

$ cat /etc/netplan/00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
ethernets:
    enp0s25:
      addresses:
      - 192.168.0.9/24
      gateway4: 192.168.0.1
      nameservers:
        addresses:
        - 1.1.1.1
        - 8.8.8.8
        search:
        - duckdns.org
version: 2

Look at the syslog.
$ sudo tail /var/log/syslog

Look at the running processes, then look at running services.
$ ps -ef | more
$ systemctl list-units --all --type=service --no-pager

Let's remove a service we don't want automatically started, and one we don't need.
$ sudo systemctl stop rsync
$ sudo systemctl disable rsync

$ systemctl status vgauth
● vgauth.service - Authentication service for virtual machines hosted on VMware
     Loaded: loaded (/lib/systemd/system/vgauth.service; enabled; vendor preset: enabled)
     Active: inactive (dead)
Condition: start condition failed at Sun 2020-05-10 00:16:27 UTC; 2h 30min ago
       Docs: http://github.com/vmware/open-vm-tools

May 10 00:16:27 d990 systemd[1]: Condition check resulted in Authentication service for virtual machines hosted on VMware being skipped.

$ sudo systemctl stop vgauth
$ sudo systemctl disable vgauth
$ systemctl status open-vm-tools
● open-vm-tools.service - Service for virtual machines hosted on VMware
     Loaded: loaded (/lib/systemd/system/open-vm-tools.service; enabled; vendor preset: enabled)
     Active: inactive (dead)
Condition: start condition failed at Sun 2020-05-10 02:56:23 UTC; 3min 54s ago
       Docs: http://open-vm-tools.sourceforge.net/about.php

May 10 02:56:23 d990 systemd[1]: Condition check resulted in Service for virtual machines hosted on VMware being skipped.

$ sudo systemctl stop open-vm-tools
[sudo] password for install:

$ sudo systemctl disable open-vm-tools
Synchronizing state of open-vm-tools.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable open-vm-tools
Removed /etc/systemd/system/multi-user.target.wants/open-vm-tools.service.

$ systemctl status open-vm-tools
● open-vm-tools.service - Service for virtual machines hosted on VMware
     Loaded: loaded (/lib/systemd/system/open-vm-tools.service; indirect; vendor preset: enabled)
     Active: inactive (dead)
       Docs: http://open-vm-tools.sourceforge.net/about.php

May 10 02:56:23 d990 systemd[1]: Condition check resulted in Service for virtual machines hosted on VMware being skipped.

This is a server machine, so we don't need this process attaching to a sound card.
$ apt list pulseaudio
Listing... Done
pulseaudio/focal-updates 1:13.99.1-1ubuntu3.5 amd64 [upgradable from: 1:13.99.1-1ubuntu3.3]
N: There are 3 additional versions. Please use the '-a' switch to see them.
$ sudo apt remove pulseaudio

Since this is a server install, the majority of the time it will be accessed remotely. A person using an X display may want to work with images, so install an image viewer such as eog.

$ sudo apt install eog

Disable printing of Ubuntu newswire during shell logon.

$ sudo chmod -x /etc/update-motd.d/50-motd-news

Note the firewall is not active.
$ sudo ufw status
Status: inactive

Install software updates. You may need to reboot the machine to apply all software updates.
$ sudo apt update
$ sudo apt upgrade
$ sudo systemctl reboot

Familiarize yourself with users and groups.
$ cat /etc/passwd
$ cat /etc/group

Put in users and groups.
$ sudo addgroup minecrft
Adding group `minecrft' (GID 1001) ...
Done.
$ sudo adduser minec --ingroup minecrft
Adding user `minec' ...
Adding new user `minec' (1001) with group `minecrft' ...

On a consumer-type internet connection, you may want to configure a dynamic DNS service such as DuckDNS. Create the user, get your information from duckdns.org, then configure software.
$ sudo addgroup duckdns
$ sudo adduser duckdns --ingroup duckdns
Read this to configure the software and crontab entry for duckdns.

Let's change the time zone to Amsterdam.
$ cat /etc/timezone
Etc/UTC
$ timedatectl
               Local time: Sun 2020-05-10 19:12:56 UTC
           Universal time: Sun 2020-05-10 19:12:56 UTC
                 RTC time: Sun 2020-05-10 19:12:56
                Time zone: Etc/UTC (UTC, +0000)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

$ timedatectl list-timezones | grep -i ams
Europe/Amsterdam

$ sudo timedatectl set-timezone Europe/Amsterdam

$ cat /etc/timezone
Europe/Amsterdam

$ timedatectl
               Local time: Sun 2020-05-10 21:14:02 CEST
           Universal time: Sun 2020-05-10 19:14:02 UTC
                 RTC time: Sun 2020-05-10 19:14:02
                Time zone: Europe/Amsterdam (CEST, +0200)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

While we could try to disable the cloud initialization with
$ touch /etc/cloud/cloud-init-disabled
Let's remove it.
$ sudo apt remove cloud-init

Optionally, install X server.
$ sudo apt install tightvncserver
$ sudo apt install xterm
Then configure your .Xresources file.

Optionally, install javascript runtime via apt.
$ sudo apt install nodejs
$ which node
/usr/bin/nodejs
$ nodejs --version
v10.19.0
$ sudo apt install chromium-browser
$ which chromium-browser
/usr/bin/chromium-browser
Optionally, upgrade the node software.
$ curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
$ sudo apt install nodejs
$ which node
/usr/bin/node
$ node -v
v12.16.3
$ npm -v
6.14.4

Anyone editing files with vim (vi is typically vim) may want to learn the basics of the .vimrc startup file.
$ cat ~/.vimrc
syntax off
set showmatch
set hlsearch
set matchpairs+=<:>,(:),{:},[:]
:nmap <F1> <nop>

For a graphical editor, install nedit.
$ sudo apt install nedit

Familiarize yourself with memory and disk space, network interfaces and networking, and how the machine is running. Review the output from the following commands.
Since ifconfig is deprecated, use the ip command. Instead of traceroute, use the mtr command.
$ free -m
$ df -k
$ sudo lshw

$ landscape-sysinfo
$ top
$ htop

$ ip a
$ mtr wunderground.com

__________________________________________________________

Update of this blog post with more readable explanation of network settings to be used during install from the console. These examples use IP address 192.168.0.6.

$ ls -l /etc/netplan
total 4
-rw-r--r-- 1 root root 260 Oct 16 21:13 00-installer-config.yaml

$ cat /etc/netplan/*
# This is the network config written by 'subiquity'
network:
ethernets:
enp5s0:
addresses:
- 192.168.0.6/24
gateway4: 192.168.0.1
nameservers:
addresses:
- 1.1.1.1
- 8.8.8.8
search: []
version: 2

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bc:30:5b:e7:a4:f9 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.6/24 brd 192.168.0.255 scope global enp5s0
valid_lft forever preferred_lft forever
inet6 fe80::be30:5bff:fee7:a4f9/64 scope link
valid_lft forever preferred_lft forever

Sunday, April 26, 2020

Install Apache On Ubuntu Linux

Install the Apache web server on Ubuntu Linux. You will need to be able to install software and start services, so this example uses a Linux account with full sudo. In this example the Linux user name is "testuser".

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.4 LTS
Release:        18.04
Codename:       bionic

$ hostname -I
192.168.0.9

$ sudo ufw status
Status: inactive

# Update package list and install Apache.

$ sudo apt update
...
Fetched 2,854 kB in 2s (1,395 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

$ sudo apt install apache2
...
Created symlink /etc/systemd/system/multi-user.target.wants/apache2.service → /lib/systemd/system/apache2.service.
Created symlink /etc/systemd/system/multi-user.target.wants/apache-htcacheclean.service → /lib/systemd/system/apache-htcacheclean.service.
...
# Note the screen output shows symlinks in the configuration directories for the system services.

# Let's see what was is running.
$ systemctl status apache2.service
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
           └─apache2-systemd.conf
   Active: active (running) since Sun 2020-04-26 12:08:28 MDT; 2min 6s ago
Main PID: 29916 (apache2)
    Tasks: 55 (limit: 4915)
   CGroup: /system.slice/apache2.service
           ├─29916 /usr/sbin/apache2 -k start
           ├─29918 /usr/sbin/apache2 -k start
           └─29919 /usr/sbin/apache2 -k start

# Use a web browser to go to the machine name or IP address.
# Earlier you found the IP address by typing "hostname -I".

# It is kind of the developers and package maintainers to put instructions on the home page!

# Let's look at the index.html file.
$ cd /var/www/html
$ ls -l
total 12
-rw-r--r-- 1 root root 10918 Apr 26 12:08 index.html
# Being owned by root, we can guess an "apache" unix logon was not created.
$ grep apa /etc/passwd
# Nothing found. Also look at last line of /etc/passwd for a new entry.
$ tail -1 /etc/passwd

# Since software often has errors, bugs, and security holes, an attacker may exploit those
# holes and possibly gain access as the user which is running the software.
# The apache software is being run as root. It had better be perfect software!
# Let's look further.
$ ps -ef | grep apache
root     29916     1 0 12:08 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 29918 29916 0 12:08 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 29919 29916 0 12:08 ?        00:00:00 /usr/sbin/apache2

# Processes are running both as root and as the pre-existing unix logon www-data.

# Let's see if www-data is a less-privileged account than root
$ groups www-data
www-data : www-data
$ sudo grep www /etc/sudoers
# No output from grep, so it looks like www-data doesn't have sudo. This is good.
# To open a listening connection on a "low numbered port", you typically need to be root.
# Maybe that is why part of the web server is started as root. This is something to further explore.

# For now, let's change the static web page served from the file index.html.$ cd /var/www/html
$ ls -l
total 12
-rw-r--r-- 1 root root 10918 Apr 26 12:08 index.html
$ sudo cp index.html index.html.orig
$ ls -l
total 24
-rw-r--r-- 1 root root 10918 Apr 26 12:08 index.html
-rw-r--r-- 1 root root 10918 Apr 26 12:29 index.html.orig

# Edit the file and add some text. When editing the file, search for "welcome" and change the text.
$ sudo vi index.html
# In the "content_section_text", you may want to add a new paragraph tags and a couple lines such as:

<p>

“I'm a great believer in luck, and I find the harder I work the more I have of it.”

<a href="https://plato.stanford.edu/entries/jefferson">Thomas Jefferson</a>

</p>

# Reload your web browser to see your changes.

# Verify that systemctl is set up properly to start and stop the web server.
$ sudo systemctl stop apache2.service
$ ps -ef|grep apac
testuser       32236 28823 0 14:58 pts/0    00:00:00 grep apac

$ sudo systemctl start apache2.service
$ ps -ef | grep apac
root     32262     1 0 14:58 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 32264 32262 0 14:58 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 32265 32262 0 14:58 ?        00:00:00 /usr/sbin/apache2 -k start
testuser       32327 28823 0 14:58 pts/0    00:00:00 grep apac

$ systemctl status apache2.service
● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
           └─apache2-systemd.conf
   Active: active (running) since Sun 2020-04-26 14:58:53 MDT; 17s ago
Process: 32214 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
Process: 32242 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 32262 (apache2)
    Tasks: 55 (limit: 4915)
   CGroup: /system.slice/apache2.service
           ├─32262 /usr/sbin/apache2 -k start
           ├─32264 /usr/sbin/apache2 -k start
           └─32265 /usr/sbin/apache2 -k start

If you run the firewall, remember to allow incoming pages to apache webserver.

$ sudo ufw enable
$ sudo ufw allow www