Categories
Linux

Creating an “optimised” Debian UEFI / Gen2 Hyper-V Virtual Machine

First, we’ll use PowerShell to create your new Hyper-V VM. You’ll need to edit the variables at the top of this script (in bold) – note the size of the OS disk will be 32GB, you can change this, but will need to adjust partition layout / sizes accordingly.

# Change text in BOLD
$vmname = "DEBIAN" # Desired Virtual Machine Name
$vmpath = "E:\" # Root folder for Hypver-V VM (a folder will automatically be created for the VM itself)
$virtual_switch = "vSwitch" # Hypver-V Host vSwitch name to connect VM to
$netboot_iso = "C:\Users\chris\Downloads\debian-8.6.0-amd64-netinst.iso" # Debian Net Install ISO Path

# Create a new VHD:
New-VHD –Path "$vmpath\$vmname\Virtual Hard Disks\$vmname.vhdx" –SizeBytes 32GB –Dynamic –BlockSizeBytes 1MB

# Create the new VM:
New-VM -Name $vmname -MemoryStartupBytes 4096MB -Generation 2 -VHDPath "$vmpath\$vmname\Virtual Hard Disks\$vmname.vhdx" -SwitchName $virtual_switch
Add-VMDvdDrive $vmname 
Set-VMDvdDrive -VMName $vmname -Path $netboot_iso

# Disable secureboot the vm (will not boot from ISO without this):
Set-VMFirmware -VMName $vmname -EnableSecureBoot Off

# Disable Dynamic Memory (not supported by Debian):
Set-VMMemory $vmname -DynamicMemoryEnabled $false

# Now, power on the machine.
Start-VM -Name $vmname

Now, connect to the VM via the Hyper-V console and proceed to load the Debian setup wizard. Continue through the wizard until you are prompted to configure partitions / storage; at this point breakout to a new console (Ctrl-Alt F1).

Now we’ll manually define our partitions / desired filesystem based on the latest Microsoft recommendations here. Above, we created a 32GB VHD – if you changed this figure, change the commands below to suit. Where I have written “<default>” just hit enter. Note, you will wipe the drive this partition layout is applied to, you do this at your own risk.

Desired partition layout:

  • UEFI System Boot : 512MB
  • root / – ext4: 27GB
  • swap : <remaining space>

From your new console, use these commands:

fdisk /dev/sda
g
p
	n
	1
	<default>
	+512M
	t
	1

	n
	2
	<default>
	+27G

	n
	3
	<default>
	<default>
	t
	3
	14
w

Now, switch back to the Debian setup wizard and select “manual” for disk configuration / partitioning, then select each of the partitions and configure as below:

Partition 1: use as: UEFI System Partision (ESP)
Partition 2: use as: ext4, mount point "/"
Partition 3: use as: swap

Complete the installation as normal – you’re all done.

Categories
Linux

Debian Linux 8, Jessie, Managing and Troubleshooting Memory Consumption

I ran into some issues running Debian 8.6 on Hyper-V recently – my VM would run out of memory, run through a series of activities kill processes to try and self-heal and then, eventually, lock up entirely.

On reviewing the syslog I started to understand what was going on – the system was running out of memory:

sudo cat /var/log/syslog | grep memory

It looked as if, for whatever reason, wfica (the Citrix Receiver Client) couldn’t be “completely” killed to free-up memory; once killed more processes seemed to spawn which in turn would be killed, leading to more processes. Eventually more important system processes were killed to try and free-up memory:

Sep 30 11:42:15 debian kernel: [55556.844790]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 11:42:15 debian kernel: [55556.844978] Out of memory: Kill process 9405 (clamd) score 72 or sacrifice child
Sep 30 11:52:15 debian kernel: [56156.791644]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 11:52:15 debian kernel: [56156.791823] Out of memory: Kill process 8831 (wfica) score 30 or sacrifice child
Sep 30 11:52:15 debian kernel: [56156.792333]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 11:52:15 debian kernel: [56156.792498] Out of memory: Kill process 8834 (threaded-ml) score 30 or sacrifice child
Sep 30 12:02:16 debian kernel: [56757.847752]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 12:02:16 debian kernel: [56757.848397] Out of memory: Kill process 8853 (wfica) score 31 or sacrifice child
[...]
[...] # many more wfica processes killed, different PIDs
[...]
process 9238 (wfica) score 45 or sacrifice child
Sep 30 13:52:39 debian kernel: [63381.448595]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:52:39 debian kernel: [63381.448762] Out of memory: Kill process 1147 (dropbox) score 18 or sacrifice child
Sep 30 13:53:17 debian kernel: [63419.152094]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:53:17 debian kernel: [63419.152256] Out of memory: Kill process 8655 (shutter) score 10 or sacrifice child
Sep 30 13:53:21 debian kernel: [63423.078535]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:53:21 debian kernel: [63423.078699] Out of memory: Kill process 1071 (Xvnc) score 10 or sacrifice child
Sep 30 13:57:26 debian kernel: [63666.800723]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:26 debian kernel: [63666.800914] Out of memory: Kill process 852 (lightdm-gtk-gre) score 3 or sacrifice child
Sep 30 13:57:26 debian kernel: [63666.820658]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:26 debian kernel: [63666.820787] Out of memory: Kill process 581 (Xorg) score 2 or sacrifice child
Sep 30 13:57:26 debian kernel: [63668.058072]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:26 debian kernel: [63668.058324] Out of memory: Kill process 501 (freshclam) score 0 or sacrifice child
Sep 30 13:57:26 debian kernel: [63668.065610]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:27 debian kernel: [63668.065906] Out of memory: Kill process 3727 (AuthManagerDaem) score 0 or sacrifice child
Sep 30 13:57:29 debian kernel: [63668.256015]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:29 debian kernel: [63668.256217] Out of memory: Kill process 9143 (AuthManagerDaem) score 0 or sacrifice child
Sep 30 13:57:29 debian kernel: [63668.872898]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:30 debian kernel: [63668.873008] Out of memory: Kill process 192 (systemd-journal) score 0 or sacrifice child
Sep 30 13:57:30 debian kernel: [63669.939297]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:30 debian kernel: [63669.939437] Out of memory: Kill process 552 (polkitd) score 0 or sacrifice child
Sep 30 13:57:30 debian kernel: [63669.943290]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:30 debian kernel: [63669.943387] Out of memory: Kill process 502 (NetworkManager) score 0 or sacrifice child

In terms of cause, this was simple, Debian 8 doesn’t support Hyper-V Dynamic Memory: https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/supported-debian-virtual-machines-on-hyper-v

However, this got me thinking, coming from a Windows background, about how to monitor / review consumption of resources.

To view memory consumption, by process, sorted high > low:

top -o %MEM

Review syslog for out of memory events:

sudo cat /var/log/syslog | grep memory

To view virtual memory consumption:

vmstat

To view CPU utilisation, by process, sorted high > low:

top -o %CPU

To view disk utilisation:

sudo apt-get install sysstat
iostat -d #for physical disks
iostat -N #for LVM

[more to come]

Categories
ICA Client Linux

Debian 8, Jessie, Installing Citrix Receiver

Download the Citrix Receiver Client from here: https://www.citrix.com/downloads/citrix-receiver/linux/receiver-for-linux-latest.html

Now install the client using the commands:

sudo dpkg -i ~/Downloads/icaclient_*.deb ctxusb_*.deb
sudo apt-get -f install # Install missing depends.

Next, configure the client:

sudo /opt/Citrix/ICAClient/util/configmgr &

Without executing this command I would get a brief pop-up and then the Citrix client would simply disappear – no errors were displayed.

Using FireFox? Check here for specific instructions: https://help.ubuntu.com/community/CitrixICAClientHowTo#A7._.2864-bit_only.29_Fix_Firefox_plugin_installation

SSL configuration for GlobalSign SSL (if you’re using a different CA you can skip this / retrofit to meet your needs).

Download GlobalSign Root CA crt files from: https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates

wget https://secure.globalsign.net/cacert/Root-R1.crt
wget https://secure.globalsign.net/cacert/Root-R2.crt
wget https://secure.globalsign.net/cacert/Root-R3.crt

Convert to PEM format using openSSL:

openssl x509 -inform DER -in Root-R1.crt -out Root-R1.pem -outform PEM
openssl x509 -inform DER -in Root-R2.crt -out Root-R2.pem -outform PEM
openssl x509 -inform DER -in Root-R3.crt -out Root-R3.pem -outform PEM

Copy these to: /opt/Citrix/ICAClient/keystore/cacerts

sudo cp *.pem /opt/Citrix/ICAClient/keystore/cacerts/

Rehash the ICA Client certificates:

sudo c_rehash /opt/Citrix/ICAClient/keystore/cacerts/

Citrix “official” instruction are available here: http://docs.citrix.com/en-us/receiver/linux/13/linux-secure-wrapper/linux-secure-connect-secure-gateway-ssl-relay.html

If you get SSL Error 61 :: “Contact your help desk with the following information: You have not chosen to trust “GlobalSign RootCA”, the issuer of the server’s security certificate (SSL error 61).”

citrix-receiver_001

You haven’t imported / rehashed the necessary SSL certificates for your servers certificate.

Categories
Linux

Debian 8, Jessie, Configuring a Static IPv4 Address

If you’re enabling RDP support, or other services on a Debian Linux machine that you want to connect to from a remote device, a static IP is an obvious requirement (be-that, ideally, a DHCP reservation or manually configured IP).

Considering I couldn’t opt for a DHCP reservation for my home set-up (long story) I went for a manually configured IP address, using the commands / configuration files below.

Edit /etc/network/interfaces:

sudo vi /etc/network/interfaces

   auto eth0
    iface eth0 inet static
        address 192.168.1.249
        netmask 255.255.255.0
        gateway 192.168.1.1

Edit resolv.conf:

sudo vi /etc/resolv.conf 

   nameserver 192.168.1.1

I found that after this change, in order for Network Manager to “release” control of the interface, I had to restart the device – I’m sure there is a better solution, let me know if you find one…

Categories
Linux

Debian 8, Jessie, Middle-Button Scrolling in Firefox

One annoyance I’ve had since using Debian 8 / Firefox was that every time I pressed the middle-mouse button and tried to scroll on a web page I’d get a new page load, or nothing would happen.

This was a Firefox-specific issue, that can be resolved by configuring as below in about:config:

Setting: general.autoScroll
Set to: True

Setting: middlemouse.contentLoadURL
Set to: False
Categories
Linux

Debian 8, Jessie, Installing Sudo

I was surprised to find that sudo was not installed by default on Debian 8 as it is with Ubuntu. You can debate whether the root account should, or should not be enabled however, I would recommend the use of sudo for audit logging the use of elevated privileges.

Install sudo itself using the command:

apt-get install sudo

Now add your personal account to the sudo group

adduser <username> sudo

You’ll need to either logoff or reload your groups.

Should you chose to disable the root account itself, use the following commands:

sudo passwd -l root
usermod --expiredate 1
Categories
Linux

Debian 8, Jessie, Firefox Locked Preferences

Firefox has recently become my go-to browser of choice, not becuase of speed, but because of privacy – more to come on this subject at a later time.

Having established a configuration I am happy with – following guides on sites such as privacytools.io – I like to be sure no add-ons or Firefox updates can reset the configuration, so I opt for locked preferences. More information from Mozilla on this here.

To lock preferences on Debian, you’ll need to create two files as outlined in the Mozilla article – mozilla.cfg and local-settings.js.

mozilla.cfg

//
lockPref("privacy.trackingprotection.enabled", true);
lockPref("geo.enabled", false);
lockPref("browser.safebrowsing.enabled", false);
lockPref("browser.safebrowsing.malware.enabled", false);
lockPref("browser.safebrowsing.downloads.enabled", false);
lockPref("dom.event.clipboardevents.enabled", false);
lockPref("network.cookie.cookieBehavior", 1);
lockPref("network.cookie.lifetimePolicy", 2);
lockPref("browser.cache.offline.enable", false);
lockPref("browser.send_pings", false);
lockPref("webgl.disabled",true);
lockPref("dom.battery.enabled", false);
lockPref("browser.sessionstore.max_tabs_undo", 0);
lockPref("media.peerconnection.enabled", false);
lockPref("media.peerconnection.turn.disable", true);
lockPref("media.peerconnection.use_document_iceservers", false);
lockPref("media.peerconnection.video.enabled", false);
lockPref("media.peerconnection.identity.timeout", 1);
lockPref("browser.search.suggest.enabled", false);
lockPref("datareporting.healthreport.service.enabled", false);
lockPref("datareporting.healthreport.uploadEnabled", false);
lockPref("signon.rememberSignons", false);

local-settings.js

pref("general.config.obscure_value", 0);
pref("general.config.filename", "mozilla.cfg");

Now copy these files to the required directories, close and open Firefox.

cp mozilla.cfg /usr/lib/firefox-esr/
cp local-settings.js /usr/lib/firefox-esr/defaults/pref/

 

Categories
Linux

Debian 8, Jessie, Enable RDP Server

/ The below is now “obsolete,” in my opinion – it will work, however,  you will not get sound redirection and performance is not as good as it can be due to this solution being routed over VNC. Check out my more-recent guide on using x11rdp, here.

As an avid, die-hard Windows user I struggle to make the move to VNC considering how fast RDP is in comparison. When I discovered it was possible to enable RDP support on Debian, I quickly set-to.

Install XRDP on Debian

This wil both install and configure XRDP:

sudo apt-get install xrdp

Fix Key-Mapping Issues

There is one “bug” with key-mapping that requires a custom key-map file to be used with XRDP specifically, the below is for en-GB / UK keyboards – save the below as km-0809.ini – see last step after text file contents!

Categories
Linux

Installing OpenVAS and Greenbone Security Assistant on Debian 8, Jessie

First, some background – in a recent attempt to get a better handle on Internet privacy I began to look at various areas from mobile operating systems, browsers to the network I was connecting to the Internet from, and the various risks all entailed. In terms of my local network I was intrigued to better understand the “health” of devices on that network, and any risks they exposed.

I started to re-visit the use of Linux, and initially rediscovered Kali Linux “2016.2.” This proved to be a nightmare within a Hyper-V machine – a memory leak consumed all available host memory (12GB) in a couple of days, plus an “apt-get dist-upgrade” resulted in a failure of Xfce on boot… all I wanted was a vulnerability scanner, not a headache! Sadly, getting OpenVas running on Kali is very easy – see here.

My next port of call was Ubuntu, however, from a privacy perspective this proved less than ideal, so I opted for a distro I had not used for many years in its original form, Debian – specifically Debian 8, or Jessie.

Categories
Linux

Apache : Usefull .htaccess Configurations

Apache Usefull .htaccess Configurations

I came across the following useful .htaccess configuations over at https://github.com/h5bp/html5-boilerplate/blob/master/.htaccess#L169.

Rewrite www.cb-net.co.uk -> cb-net.co.uk
{code lang:ini showtitle:false lines:false hidden:false}<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
</IfModule>{/code}
 
Conversley rewrite cb-net.co.uk -> www.cb-net.co.uk
{code lang:ini showtitle:false lines:false hidden:false}<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>{/code}
 
Protect access to backup files, including Akeeba backup files for Joomla
{code lang:ini showtitle:false lines:false hidden:false}<FilesMatch “(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist|jpa)|~)$”>
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>{/code}
 
Prevent access to hidden files
{code lang:ini showtitle:false lines:false hidden:false}<IfModule mod_rewrite.c>
RewriteCond %{SCRIPT_FILENAME} -d
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule “(^|/)\.” – [F]
</IfModule>
{/code}