Monthly Archives: July 2017

A Day in the Life

From blasting performance bottlenecks and slashing application downtime to defending against data loss and endlessly having to instruct end users to “turn it off and on again,” system administrators are the grease that keep the wheels of modern businesses turning day in and day out.

Since 2000, these typically unsung heroes of the enterprise have been recognized in July with System Administrator Appreciation Day. The holiday, celebrated on the last Friday of July, was created by sysadmin Ted Kekatos, who was inspired by a Hewlett-Packard ad for laser printers. The ad showed a sysadmin receiving flowers and gifts from grateful co-workers.

For SysAdmin Appreciation Day 2017, and to honor sysadmins around the world for all the times they’ve come to rescue, SolarWinds polled its THWACK community of 130,000 IT professionals to caption “A Day in the Life of the sysadmin.” They say a picture is worth a thousand words, so SolarWinds captured the best captions that show the witty and funny side of life as a sysadmin.

Happy SysAdmin Day 2017!

Source link

Easily Update Ubuntu and Debian Systems with uCareSystem |

Updates are something that are often ignored for one reason or another. However, if you’re not making a daily (or at least weekly) habit of updating your systems, then you are doing yourself, your servers, and your company a disservice.

And, even if you are regularly updating your Ubuntu and Debian systems, you may be doing the bare minimum, thereby leaving out some rather important steps.

As with nearly every aspect of Linux, fortunately, there’s an app that does an outstanding job of taking care of those upgrading tasks. A single command will:

  • Update the list of available packages

  • Download and install all available updates for the system

  • Check for and remove any old Linux kernels (retaining the current running kernel and one previous version)

  • Clear the retrieved packages

  • Uninstall obsolete and orphaned packages

  • Delete package settings from previously uninstalled software

That’s a lot of jobs for one command—but ucaresystem-core handles all this with ease. Considering that one command takes the place of at least eight commands, that’s a big time saver.

In fact, here are the commands ucaresystem-core can take care of:

  • apt update

  • apt upgrade

  • apt autoremove

  • apt clean

  • uname -r (do NOT remove this kernel)

  • dpkg –list | grep linux-image

  • sudo apt-get purge linux-image-X.X.X-X-generic (Where X.X.X-X is the kernel to be removed)

  • sudo update-grub2

If you love spending time at a terminal window, that’s great. But if you have a lot of systems to update, you’re probably looking out for something to make your job a bit more efficient. That’s where ucaresystem-core comes in.

I’ve been using ucaresystem-core for more than a year now (with Elementary OS and Ubuntu) and have yet to encounter a single problem. In fact, this particular tool has become one of the first I install on all Ubuntu and Debian systems. I trust it…it works.

So, how can you get this incredibly handy tool? Let’s walk through the process of installing ucaresystem-core, how to use it, and how to automate it.


The first thing you must do is install ucaresystem-core. We’ll be downloading the .deb file (as the Utappia repository seems to no longer contain a release file). Here’s how:

  1. Download the .deb file that matches your operating system release into your ~/Downloads directory

  2. Change into the ~/Downloads directory with the command cd ~/Downloads

  3. Install the deborphan dependency with the command sudo apt install deborphan

  4. Install ucaresystem-core with the command sudo dpkg -i ucaresystem-core*.deb

That’s it for the installation; ucaresystem-core is ready to go.

Running ucaresystem-core

You might have guessed by now that running this all-in-one command is very simple, and you would be correct. To fire up ucaresystem-core, go back to your terminal and issue the command:

sudo ucaresystem-core

This will launch the tool, which will immediately warn you that it will kick off in five seconds (Figure 1).

As the command runs, it requires zero user input, so you can walk away and wait for the process to complete (how long it takes will depend upon how much needs to be updated, how much needs to be removed, the speed of your system, and the speed of your Internet connection).

The one caveat to ucaresystem-core is that it does not warn you should you need to reboot your machine (if a newer kernel be installed). Instead, you have to scroll up to near the beginning of the output to see what has been upgraded (Figure 2).

If you cannot scroll up in your terminal, you can always view the dpkg log found in /var/log/dpkg.log. In this file, you will see everything ucaresystem-core has upgraded (including a handy time-stamp — Figure 3).

How much space did we gain?

Since my Elementary OS is set up such that ucaresystem-core is run as a cron job, I installed a fresh instance on a Ubuntu 17.10 desktop to test how much space would be freed after a single run. This instance was a VirtualBox VM, so space was at a premium. Prior to running the ucaresystem-core command the VM was using 6.8GB out of 12GB. After the run, the VM was using 6.2GB out of 12GB. Although that may not seem like a large amount, when you’re dealing with limited space, every bit counts. Plus, if you consider it went from 37 percent to 34 percent usage, it might seem like a better savings. On top of that, the system is now clean and running the most recent versions of all software…with the help of a single command.

Automating the task

Because ucaresystem-core doesn’t require user input, it is very easy to automate this, with the help of cron. Let’s say you want to run ucaresystem-core every night at midnight. To do this, open a terminal window and issue the command sudo crontab -e. Once you’re in your crontab editor, add the following to the bottom of the file:

0 0 * * * /usr/bin/ucaresystem-core

Save and close the crontab file. The command will now run every night at Midnight. Thanks to the dpkg log file, you can check to see the results.

Should you want to set up ucaresystem-core to run at a different time/day, I suggest using the Crontab Guru to help you know how to enter the time/date for your cron job.

Keep it simple, keep it clean

You will be hard-pressed to find a simpler method to keep your Ubuntu and Debian systems both updated and clean, than with ucaresystem-core. I highly recommend you employ this very handy tool for any system that you want always updated and free of the cruft that can be left behind by such a process.

Of course, if you prefer to do everything by hand, that is an even more reliable method. However, when you don’t always have time for that, there’s always ucaresystem-core.

Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.

Building IPv6 Firewalls: IPv6 Security Myths |

We’ve been trundling along nicely in IPv6, and now it is time to keep my promise to teach some iptables rules for IPv6. In this two-part series, we’ll start by examining some common IPv6 security myths. Every time I teach firewalls I have to start with debunking myths because there are a lot of persistent weird ideas about the so-called built-in IPv6 security. In part 2 next week, you will have a nice pile of example rules to use.

Security yeah, no

You might recall the optimistic claims back in the early IPv6 days of all manner of built-in security that would cure the flaws in IPv4, and we would all live happily ever after. As usual, ’tisn’t exactly so. Let’s take a look at a few of these.

IPsec is built-in to IPv6, rather than added on as in IPv4. This is true, but it’s not particularly significant. IPsec, IP Security, is a set of network protocols for encrypting and authenticating network traffic. IPsec operates at the Network layer. Other encryption protocols that we use every day, such as TLS/SSL and SSH, operate higher up in the Transport Layer, and are application-specific.

IPsec operates similarly to TLS/SSL and SSH with encryption key exchanges, authentication headers, payload encryption, and complete packet encryption in encrypted tunnels. It works pretty much the same in IPv6 and IPv4 networks; patching code isn’t like sewing patches on clothing, with visible lumps and seams. IPv6 is approaching 20 years old, so whether certain features are built-in or bolted-on isn’t relevant anyway.

The promise of IPsec is automatic end-to-end security protecting all traffic over an IP network. However, implementing and managing it is so challenging we’re still relying on our old favorites like OpenVPN, which uses TLS/SSL, and SSH to create encrypted tunnels.

IPsec in IPv6 is mandatory. No. The original specification required that all IPv6 devices support IPsec. This was changed in 2011 RFC 6434 Section 11 from MUST to SHOULD. In any case, having it available is not the same as using it.

IPsec in IPv6 is better than in IPv4. Nah. Pretty much the same.

NAT = Security. No no no no no no, and NO. NAT is not and never has been about security. It is an ingenious hack that has extended the lifespan of IPv4 many years beyond its expiration date. The little bit of obfuscation provided by address masquerading doesn’t provide any meaningful protection, and it adds considerable complexity by requiring applications and protocols to be NAT-aware. It requires a stateful firewall which must inspect all traffic, keep track of which packets go to your internal hosts, and rewrite multiple private internal addresses to a single external address. It gets in the way of IPsec, geolocation, DNSSEC, and many other security applications. It creates a single point of failure at your external gateway and provides an easy target for a Denial of Service (DoS) attack. NAT has its merits, but security is not one of them.

Source routing is built-in. This is true; whether it is desirable is debatable. Source routing allows the sender to control forwarding, instead of leaving it up to whatever routers the packets travel through, which is usually Open Shortest Path First (OSPF). Source routing is sometimes useful for load balancing, and managing virtual private networks (VPNs); again, whether it is an original feature or added later isn’t meaningful.

Source routing presents a number of security problems. You can use it to probe networks and gain information and bypass security devices. Routing Header Type 0 (RH0) is an IPv6 extension header for enabling source routing. It has been deprecated because it enables a clever DoS attack called amplification, which is bouncing packets between two routers until they are overloaded and their bandwidth exhausted.

IPv6 networks are protected by their huge size. Some people have the idea that because the IPv6 address space is so large this provides a defense against network scanning. Sorry but noooo. Hardware is cheap and powerful, and even when we have literally quintillions of potential addresses to use (an IPv6 /64 network segment is 18.4 quintillion addresses) we tend to organize our networks in predictable clumps.

The difficulties of foiling malicious network scanning are compounded by the fact that certain communications are required for computer networks to operate. The problem of controlling access is beyond the abilities of any protocol to manage for us. Read Network Reconnaissance in IPv6 Networks for a lot of interesting information on scanning IPv6 networks, which attacks require local access and which don’t, and some ways to mitigate hostile scans.

Multitudes of Attack Vectors

Attacks on our networks come from all manner of sources: social engineering, carelessness, spam, phishing, operating system vulnerabilities, application vulnerabilities, ad networks, tracking and data collection, snooping by service providers… going all tunnel vision on an innocent networking protocol misses almost everything.

Come back next week for some nice example IPv6 firewall rules.

You might want to review the previous installments in our meandering IPv6 series:

Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.

Endless OS, a Distribution Without Internet » Linux Magazine

Linux may or may not be able to crack the declining consumer PC market, thanks to smartphones and tablets, but a huge market exists that still needs to be tapped. One open source company, Endless Inc., is looking at that market with their Linux-based operating system called Endless OS.

Endless OS is a Debian-based distribution that offers a customized Gnome experience. It’s designed for PCs with no or intermittent Internet connectivity. The OS uses Gnome’s OSTree tool and offers only Flatpak applications. The experience is similar to Chrome OS, where updates are installed automatically without user intervention.

In an interview, Michael Hall, the community manager of Endless Inc., pointed out that billions of people still don’t own a PC. Many countries in emerging economies lack the infrastructure for high-speed broadband Internet. What good is a computer without Internet? That’s the problem Endless is trying to solve with their Linux-based distribution called Endless OS.

The main highlight of the distribution is offline applications and content. Endless is available in two versions: the basic version and the full version. The basic edition is meant for PCs with standard Internet connectivity, so users can install applications and access content as they want. The full edition comes in different languages, with ISO images that can be as big as 13GB, and comes with offline apps, in which Endless teams have bundled freely available content with the OS though in-house applications.

With thousands of Wikipedia pages, thousands of tutorials articles, and what not, once you get a system with Endless OS, you pretty much have a treasury of information on your system, without the need for Internet. However, you can’t expect people in emerging economies with very poor Internet to download 13GB of data. Endless works with major hardware vendors like Asus, HP, and others to sell PCs with Endless OS. Customers can just walk into a store and buy a PC with offline Internet installed.

Endless also works with cellular networks and ISPs to offer inexpensive Internet to these users at non-peak hours, so they can get system updates; otherwise, content is updated as they are connected. Endless offers not just offline articles, they are also working with local news publishers to package news stories. The way it works is, during night, when traffic is low, the OS syncs the news applications and pulls updates, so in the morning, you are greeted with the latest news stories.

Source link

Kolab Now Integrates Collabora Online » Linux Magazine

Kolab Systems AG, a Switzerland-based, in cooperation with Collabora Productivity, a UK-based company that offers LibreOffice-based solutions, are offering a browser-based online office suite. Kolab Now customers can now run fully featured Collabora Online to create and edit all their documents.

Kolab offers standalone, fully open source Kolab Groupware solutions that anyone can run on their servers; they also offer Kolab Now, a software-as-a-service (SaaS) platform that is similar to Google Apps for businesses, but with privacy in mind.

In a press release, Kolab said, “With Kolab Now, your data is stored by a Swiss company; using open source, peer-reviewed and audited software; developed by some of the most privacy-conscious engineers in the world; and protected by Switzerland’s strictest privacy laws. We have integrated Kolab Now’s new office apps into a space so safe and private that future Edward Snowdens shall feel safe and secure.”

Because the political landscape is changing, with state-sponsored cyberattacks on the rise and governments becoming hostile toward the privacy of their citizens, it’s becoming increasingly important to protect one’s privacy, especially the many professionals, like political activists, researchers, and investigative journalists, who need tools to protect their sources and communications. This is the market to which Swiss-based Kolab Systems AG means to cater.

Source link