Tag: linux

Monitoring storage devices with smartmontools on Debian or Ubuntu

edafe.de/smart

The acronym SMART stands for Self-Monitoring, Analysis and Reporting Technology and is a monitoring system built into most modern storage devices. The package smartmontools includes the utilities smartctl and smartd, which process SMART data to ‘provide advanced warning of disk degradation and failure‘.

Step 1

Start by configuring nullmailer to receive status updates from your system.

Step 2

Install smartmontools and update its drive database to the latest version.

$ sudo apt-get install --yes smartmontools smart-notifier && sudo update-smart-drivedb

Step 3

Continue by obtaining relevant information about available storage devices.

$ sudo smartctl --scan

Depending on the type of disk, you should see a block of information similar to the following.

/dev/sda -d scsi # /dev/sda, SCSI device

Step 4

Enable SMART support for and display detailed information about the device.

$ sudo smartctl -iHs on /dev/sda

Ideally, information about the device to be monitored would be found in the drive database.

=== START OF INFORMATION SECTION ===
Device is: In smartctl database [for details use: -P show]

The device should report a successful self-assessment test.

=== START OF SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

Please note: the drive database does not extend to NVMe devices. SMART support for NVMe devices is curently limited to a subset of features.

Step 5

Verify the SMART capabilities of the device.

$ sudo smartctl -c /dev/sda

The following output confirms that the device /dev/sda has both short and extended self-test capabilites.

=== START OF READ SMART DATA SECTION ===
SMART capabilities:            (0x0003)	Saves SMART data before entering
					power-saving mode.
					Supports SMART auto save timer.
Error logging capability:        (0x01)	Error logging supported.
					General Purpose Logging supported.
Short self-test routine 
recommended polling time: 	 (   2) minutes.
Extended self-test routine
recommended polling time: 	 (  85) minutes.

The output provides estimates for the duration of short and extended (long) self-test routines.

If the device is capable of self-tests

Use the following command to run a short self-test.

$ sudo smartctl -t short /dev/sda

Use the following command to run a long self-test.

$ sudo smartctl -t long /dev/sda

Display a list with the results of recent self-tests in reverse chronological order.

$ sudo smartctl -l selftest /dev/sda

All tests should have completed without error.

Step 6

Edit the default configuration /etc/smartd.conf and comment out any DEVICESCAN options, thus preventing smartd from attempting to search for attached devices indiscriminately.

On Debian 12, you can use the following command to comment out the DEVICESCAN option in the default configuration file.

$ sudo sed -i 's/DEVICESCAN -d removable -n standby -m root -M exec/#DEVICESCAN -d removable -n standby -m root -M exec/' /etc/smartd.conf

Step 7

Example configuration for smartd and SATA devices

For the device /dev/sda, the following configuration for monitoring the device with smartd would have to be added to /etc/smartd.conf.

/dev/sda -H -l error -l selftest -S on -s (L/../.././06|S/../.././18) -m root -M test

-H display the health status as reported by the device

-l error show the increase in the number of SMART errors since last check

-l selftest show the increase in the number of failed tests in the SMART Self-Test Log

-S on enable Attribute Autosave on startup

-s (L/../.././06|S/../.././18) schedule a long self-test between 06:00 and 07:00 daily and a short self-test between 18:00 and 19:00 daily

-m root local user root receives warning by email

-M test send a test email on startup

Example configuration for smartd and NVMe devices

Current versions of smartmontools offer experimental support for NVMe devices. In practice this means that only a limited, but still useful, feature set is available.

For the device /dev/nvme0, the following configuration for monitoring the device with smartd would have to be added to the end of /etc/smartd.conf.

/dev/nvme0 -H -l error -m root -M test

-H display the health status as reported by the device

-l error show the increase in the number of SMART errors since last check

-m root local user root receives warning by email

-M test send a test email on startup

Install and configure SSH on Debian or Ubuntu

edafe.de/ssh

SSH is a protocol that enables secure connections over unsecured networks. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

The following configuration disables root logins on the remote machine. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key.

In this example, the name of the remote machine is yourserver, which has the address 192.168.1.10 on the network. remoteuser is a user on yourserver, whereas localuser is a user on the local machine.

Begin by choosing an encryption passphrase to secure the private key that you will generate in Step 5.

On the remote machine

Step 1

Install the secure shell server on yourserver with the following command:

$ sudo apt install --yes openssh-server

Step 2

If you are using ufw as a host-based firewall

Configure ufw to allow connections to the secure shell server.

$ sudo -- bash -c 'ufw allow ssh && systemctl restart ssh.service'

If you are using firewalld as a host-based firewall

Configure firewalld to allow connections to the secure shell server.

$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=ssh --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 3

Restrict access to yourserver to members of a specific group. Start by creating the group ssh-users.

$ sudo addgroup --system ssh-users

Add the user remoteuser to the group ssh-users.

$ sudo adduser remoteuser ssh-users

On the local machine

Step 4

Install the secure shell client with the following command.

$ sudo apt install openssh-client

Step 5

Generate a new key pair for the the user localuser:

$ cd ~/.ssh && ssh-keygen -t ed25519 -o -a 100

Save the key pair to the directory /home/localuser/.ssh/. Choose a name that facilitates easy identification.

Enter file in which to save the key (/home/localuser/.ssh/id_ed25519): id_ed25519-yourserver

The use of an appropriate passphrase to secure the private key is mandatory.

Step 6

Create the file ~/.ssh/config to configure the secure shell client.

$ nano ~/.ssh/config

Add the follwing minimal entry for the host yourserver.

Host yourserver
   Hostname 192.168.1.10
   IdentityFile ~/.ssh/id_ed25519-yourserver
   IdentitiesOnly yes

Step 7

Deploy the public key with the following command.

$ ssh-copy-id -i ~/.ssh/id_ed25519-yourserver.pub remoteuser@yourserver

When prompted to confirm the authenticity of the host yourserver, type yes and press [Enter].

The authenticity of host 'debian-server (192.168.1.10)' can't be established.
ED25519 key fingerprint is SHA256:C9RxLLVbvFwVJc0L4JHzcuHQSaPHJZe/GrRDvqy6rAG.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Step 8

Log into the remote machine.

$ ssh -i ~/.ssh/id_ed25519-yourserver remoteuser@yourserver

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/localuser/.ssh/id_ed25519-yourserver':

Step 9

On the remote machine, download this configuration file to harden the ssh server. You are encouraged to inspect its contents.

$ sudo -- bash -c 'wget -P /etc/ssh/sshd_config.d/ --show-progress https://edafe.de/debian/sshd_config.conf'

Activate the modifications on the remote machine.

$ sudo systemctl restart ssh.service

Step 9

On the local machine, open a new terminal window and run the following command.

$ ssh -i ~/.ssh/id_ed25519-yourserver remoteuser@yourserver

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/localuser/.ssh/id_ed25519-yourserver':

Display the active configuration for the remote ssh server and verify its settings, paying particular attention to options for maxauthtries, permitrootlogin and passwordauthentication.

$ sudo sshd -T

All done!

For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.

Install Syncthing for continuous file synchronisation on Debian or Ubuntu

Syncthing is an open source tool that synchronises files continuously across multiple devices. It transfers data between two or more of your computers, without uploading any information to the cloud.

Syncthing packages are available for Android, Windows, macOS and Linux (including Synology DSM). In addition, Synctrain enables iOS devices to “securely synchronise files with other devices that have Syncthing installed”.

The usefulness of the Syncthing Project cannot be overstated.

Running the Syncthing stable-v2 channel

Syncthing is included in the Debian and Ubuntu repositories, respectively. If you would rather use the most up-to-date version, you need to add the Syncthing repository to your list of APT sources.

These instructions are targeting the latest release of the Syncthing stable channel. In the following example, syncthinguser is the local username.

Step 1

Add the Syncthing release key for validation of packages downloaded from the Syncthing repository.

$ sudo curl -L -o /etc/apt/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg

Step 2

Add the Syncthing repository.

$ echo "deb [signed-by=/etc/apt/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable-v2" | sudo tee /etc/apt/sources.list.d/syncthing.list

Step 3

Install Syncthing on your system.

$ sudo -- bash -c 'apt update && apt install --yes syncthing apt-transport-https'

Step 4

Enable Syncthing for the local user syncthinguser. Don’t forget to replace syncthinguser with your username before running the command.

$ sudo -- bash -c 'systemctl enable syncthing@syncthinguser.service && systemctl start syncthing@syncthinguser.service && systemctl status syncthing@syncthinguser.service'

Step 5

You may need to edit your firewall settings to open ports for incoming and outgoing traffic.

If you are using ufw as a host-based firewall

Configure ufw to allow connections to Syncthing.

$ sudo ufw limit syncthing

If you are using firewalld as a host-based firewall

Configure firewalld to allow connections to Syncthing.

$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=syncthing --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 6

Access the Syncthing configuration page by using your browser to navigate to the following address:

http://localhost:8384

Step 7

Complete your setup by referring to the Syncthing documentation.

Upgrading from the stable-v1 channel

If you have previously installed from apt.syncthing.net and are currently running Syncthing 1.x, upgrading to the stable-v2 channel is straightforward.

Remove the old APT sources configuration file.

$ sudo rm /etc/apt/sources.list.d/syncthing.list

Add the new repository for the stable-v2 channel together with its release key.

$ sudo curl -L -o /etc/apt/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg && echo "deb [signed-by=/etc/apt/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable-v2" | sudo tee /etc/apt/sources.list.d/syncthing.list

Upgrade to the latest stable version of Syncthing.

$ sudo -- bash -c 'apt update && apt upgrade --yes'

revWhiteShadow recently described the Syncthing 2.0 release as ‘A Giant Leap Forward in Decentralized File Synchronization‘.

GNOME shell tutorial: desktop workflow explained


Playing this video requires sharing information with Google. Read the privacy policy

“Before we get started, let me say this upfront: GNOME shell is not a traditional desktop and if you try to use it as one, you will not be very efficient.”

AJ Reissig

What’s your favourite desktop and why?

In response to Voice of the Masses

My favourite Desktop is Unity because it is not MATE. This has been bugging me for quite some time.
Like almost everyone else on the planet, I was unhappy when in 2011 Canonical declared Unity Ubuntu’s new default desktop. After years of using GNOME 2, I just thought that Unity felt a bit awkward. But I stuck with it, mainly for a perceived lack of alternatives and my wish to avoid PPAs if at all possible.
Fast-forward a few years and, thanks to the excellent Martin Wimpress, I hear of MATE Desktop Environment almost every other podcast I listen to. With the release of Ubuntu 15.10, MATE is finally elevated to official flavour status and I was sure to be making the switch away from Unity.
I ended up using MATE for about one day before going back to Unity. It was quite an uncomfortable thing to have to admit, but there was a problem: After years of using Unity, I just thought that MATE felt a bit awkward…

ubuntu-mate.org

What we give away when we log on to a public Wi-Fi network

“Already 20 smartphones and laptops are ours. If he wanted to, Slotboom is now able to completely ruin the lives of the people connected.” Wouter Slotboom is one of the good guys, demonstrating to Maurits Martijn his effortless ability to retrieve people’s passwords, steal their identity, and plunder their bank accounts.

decorrespondent.nl

Codes we live by: Alex Klein at TEDxTeen 2014


Playing this video requires sharing information with Google. Read the privacy policy

“What you can do with a computer is incredible, because you don’t use it like a tool, you use it like a part of yourself.”

Alex Klein

The full story of Nokia and Microsoft

“When the N9, running MeeGo received the strongest positive reviews of any Nokia phone ever, the first handset of any brand considered better than the iPhone—what did Elop do? He said that no matter how well the N9 sold, Elop would never allow another MeeGo based device to be sold by Nokia.” Microsoft has just bought Nokia’s handset division for a knockdown price of 5.3 Billion Euros, prompting former Nokia employee Tomi Ahonen to chronicle the decline of this once mighty company since in September 2010 former Microsoft employee Steven Elop became the first non-Finnish director in Nokia’s history.

communities-dominate.blogs.com

Click to copy