Posted on

Debian on AWS Lightsail

This is a setup of several items, starting with Debian 9 on Amazon AWS Lightsail. This has server basics and apt, and then follows with links to additional articles. In general, after several years of running CentOS on Linode, and then Amazon Linux AMI on EC2 and Lightsail, I find that Debian 9 is simply faster, just as secure, and at least slightly easier to use.

While there are many flavors of linux, clearly two particular lineages predominate: RHEL/CentOS/AMI and Debian/Ubuntu/Mint. Either are just as valid, though of course niche requirements may make one or the other more attractive. Android and ChromeOS are even more popular, but we are dealing with server OS here. For me, Debian on the desktop via LMDE3 (Linux Mint Debian Edition) is currently a favorite.

AWS Lightsail is a decently priced VPS package. Equivalents can be found in various first and second tier cloud providers such as Digital Ocean, Vultr, Linode, and perhaps even Azure and Google Cloud, who knows? Anyone with any experience with AWS can leverage this with Lightsail, though the main web interface is a bit different.


Related Artices in Debian Services and Applications - Debian on AWS Lightsail - OpenVPN on Debian + UFW Firewall - Nginx and Letsencrypt on Debian - PHP & MariaDB on Debian

- Grav CMS on Debian

Choose Debian Distribution

On Lightsail as of late 2018 Debian 9.5 is an option. - Install PHP from special repository sources (found in the Running PHP on Debian article) - Install special packages from Backports when needed (such as certbot) - Use apt install PACKAGE -y -t stretch-backports

Example:

sudo apt install -y python-certbot-nginx -t stretch-backports

Packages available from Distributions

Update Debian

sudo apt update -y
sudo apt update -y -t stretch-backports

Upgrade Debian

Do some checks and then execute upgrade and dist-upgrade: Note: accept the locally modified files for upgrading when asked.

sudo apt upgrade -y
sudo apt upgrade -y -t stretch-backports

Note: can have system service restarts be done automatically, when asked.

Upgrade Debian Distribution

This will change from one release to the next if there is a next one for the version being run (e.g., stable).

sudo apt dist-upgrade -y

Next, run the command to reload the terminal session:

hash -r

Steps in Configuration

Server Basics Steps

  • Configure servername, ip addresses
  • Apt, Configure repositories, Update, Upgrade, Clean, etc.

Servername, IP Addresses

For private IP Addresses

ip addr show eth0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'

For a public IP address (esp. Amazon AWS Elastic IP)

curl -4 icanhazip.com

Apt Sources List

ls -la /etc/apt

and see what is in subdirectories

Installed packages

dpkg-query -l

apt-get commands

Note, this is largely obsolete with the apt command set -- need to UPDATE this section below

apt-get clean
apt-get autoclean
apt-get dist-upgrade
apt-get clean
apt-get check
apt-get autoremove
  • autoclean deletes .deb files from local cache
  • clean deletes .deb files from distribution installation
  • autoremove removes previous, but no longer needed dependencies
  • dist-upgrade deals with dependencies, not just applications, and will add/remove/upgrade them
  • apt-get check will check for dependencies missing

note: difference between apt-get remove xyz vs. apt-get purge xyz, as the first preserves configuration files (for possible later use)

Completely Remove Packages

sudo apt-get --purge remove package-name
Posted on

IPA Keyboard Layout

Well, it turns out, there is no such thing, per se, as an IPA Keyboard Layout, at least not in the sense that there are keyboard layouts for various languages and layout styles (e.g., English, Dvorak, etc.). This seems to me to be a tremendous oversight, though it obviously came about because someone thought supporting the entire Unicode space for the IPA was a great idea, and the only idea. There are two things needed to have an IPA Keyboard Layout that would be functional for someone working in one or a few select languages: - A Keyboard Layout File, such as discussed here for X11 support (Linux) - One or more fonts that provide the support needed -- which includes a wide variety of unicode symbols plus the specific ipa unicode extension block. And preferrably fonts with multi-lingual support so that a mixture of IPA and one or more languages would by typographically elegant, or at least not jarringly unaesthetic.

IPA Character Support for a Given Language

The first step is to get a useful/functional/popular mapping of a language to IPA characters. For a language with diverse dialects, some standard form needs to be determined. Along with this is the likelihood of supporting two languages. For example, if the target language is Thai, the supporting/documenting language is likely English or another foreign language. Both Thai and English IPA character spaces need to be determined, and together they should map out the shared space, in a Venn-like diagram.

Determine Key Mapping Desired for Charcter Space

A simplistic approach would be taking the 26 characters in English and mapping those keys (lowercase and uppercase) to obvious matches, and expanding into punctuation keys as needed. Requirements for dead keys and multi-keystrokes in general might be avoidable. The main approach should be to reuse as much of the current set of wheels available rather than re-inventing one's own.

Build Keycap File and Print Keycaps

It seems straightforward to have keycaps that would support two languages and IPA. This would provide a nice intermediary, additional script which could support both of the other two languages. For some languages which maintain a large portion of the alphabetic character space in English, a third (fourth) script might be able to be acommodated, such as: English, IPA, Thai, and Vietnamese; perhaps even English, Indonesia, IPA, Thai, and Vietnamese.

Posted on

Linux Mint Debian Edition 3

Note: since Debian has Cinnamon built-in as a desktop choice on install, and since the rest of Mint is Ubuntu or Debian (LMDE), it seems a bit nonsensical to go Mint when I can go Debian +Cinnamon. This document will be somewhat regularly updated with information, and will start out sparse. - Debian installation with Gnome3 is such a shit show. Sorry guys but way too unpolished, as in unclean. - On the other hand, I've got excellent timing with the LMDE3 beta release on 31-July-2018. Here it is 31-August-2018 and I'm completely impressed with Linux Mint Cinnamon on Debian 9. This is they way things ought to be. Coming from OSX 10.10 (Yosemite) and also having spent a bit of time in ChromeOS 69-70, I have to say that Linux Mint Cinnamon on Debian is just simply way, better. In fact, it really should take on another acronym of the same name, LMDE - Lunar Module Descent Engine. The metaphor of the Pintile Injector completes the picture. Debian and its accompanying applications is the fuel and Linux Mint / Cinnamon is the oxidizer. Together there is kick ass and elegant movement, dancing among the stars.

Update - Early 2019 - Turns out that Cinnamon is a desktop environment natively available as an option when installing Debian. That appears to be a better choice rather than an entire other distribution that is patched together between Cinnamon and Debian, and various other Cinnamon/Mint applications (most of which I don't choose to use or could get elsewhere).

Note: for parallel reasons, I'm also moving over to Debian from my standard CentOS and Amazon Linux distributions. CentOS I've used for a while, and it is the basis of Amazon Linux. However, Amazon isn't really the greatest cloud provider and their customer service is in the toilet these days. On the other hand, the Linux Containers running on ChromeOS are Debian, so that is where I am headed. In addition, Debian is of course one of the major distributions and is available on most cloud platforms. Debian 8 on Amazon Lightsail and Linux Mint Debian Edition (Debian 9) on the desktop. A most delightful set of twins.

Debian Application Management

apt, .deb, Software Center (avoid), flatpak, .appimage

Apt

Standard package management can be done from apt-get or aptitude in Debian. Both are interfaces into apt. Installation using .deb files while possible, doesn't make as much sense. apt-get is the standard command-line interface to apt (Advanced Package Tool) package management for updating Debian and applications, akin to yum in the CentOS world. Note that apt-get is the most popular tool for package management. aptitude is another front-end to apt. Actually, apt is pretty much what one wants to use on the command line, and then the Software Center (sometimes with flatpak) as a second choice, and .deb downloadable installations when necessary, as well as the odd .appimage See these clarifying remarks re: apt vs. apt-get.

sudo apt update -y
sudo apt upgrade -y
sudo apt dist-upgrade -y (when upgrading to a new release)
sudo apt autoremove -y
sudo apt update -y -t stretch-backports
sudo apt upgrade -y -t stretch-backports

The similar command using apt simply doesn't work.

Debian File System and Directory Structure

more here (later)

Security and Accounts

By default the root login is disabled, which if there is a need to emergency boot, will cause no end of headaches. Undo that:

sudo su
passwd

Quick - How to Update All Apps

Note that not only apt but the backports repository need to be queried, as well as flatpak

sudo apt update -y
sudo apt upgrade -y
sudo apt autoremove -y
sudo apt update -y -t stretch-backports
sudo apt upgrade -y -t stretch-backports
sudo flatpak update -y

See also: Using Flatpak Docs Note: best to run each of these lines individually as otherwise something might be missed.

Applications Installed and To Install

Pre-Installed Apps on LMDE

Pre-installed with LMDE3 are quite a few applications, applets, and the like. The ones we prefer to use include: - GIMP - Libre Office - Transmission - Openssh-client However, some of these lag behind in updates and this means going to different distribution sources.

Apps to Install on LMDE

There are many to install, and they are installed in a variety of ways. We prefer to use the Software Center when possible, apt-get when not, and .deb files when neither of the first two are available. Software Center Apps (note: this is not a great place to get applications since they tend to be older distributions that are not updated (at least not very often) - Audacity (audio editor) - Filezilla (sftp) - KeepassXC (password/OTP utility) - Calibre (ebook/document library) - Autossh (autorestart ssh) - Gtkpod (ipod manager) - Praat (speech analysis) - Stellarium (sky generator) Apt Apps - htop - etc. .Deb GDebi Package Installer Apps (note, these can be updated via apt update) - Atom Editor - Chrome Browser - Insync (GSuite Drive File Sync) Install Script Installer Apps and Drivers - Printer driver - Scanner .appimage Apps - LMMS (audio editor) Flatpak Apps - Quod Libet (music library) - Inkscape (vector graphics editor) - MuseScore (music score editor) - Shotcut (video editor) - Telegram Desktop (chat/voice/file sharing) First, install flatpak

sudo apt install flatpak -y
sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

Apps to Remove from Software Manager

  • Rhythmbox
  • Etc.

Configuration Issues

There are various tweaks and whatnot. It is simplest to go through Settings, Applets, and Panel systematically, also turn on the Firewall and set the Windows/Command key to Control in the Keyboard if using external keyboards of that ilk; enable additional keyboards as well.

Posted on

Kindle on ChromeOS

Dealing with a Kindle (and ebook collection) on ChromeOS requires a different set of tactics than the more straightforeward use of Calibre (unless using it in Crostini is a choice).

Functionality Required for Kindle on ChromeOS

The basic functionality required includes: - Uploading to Kindle device; - Downloading from Kindle device; - Converting files from epub to mobi (to get epubs into the Kindel) and azw to epub, plus some cracking software, to get azw to epub (ebooks bought off the Amazon Kindle store)

Calibre on Debian (ChromeOS with Linux Container Crostini)

Below includes various work-around options, but the functionality and ease of operation (the kludgy interface notwithstanding) of Calbre makes that the go-to option. Note that the instructions for installing Calibre on Linux on the Calibre website are garbage. Just used the standard Debian install command and agree to install dependences.

sudo apt-get install calibre

Note that as of 05-Aug-2018 the usb interface is not yet available to the Linux Container VMs in Crostini. However it appears there is active work being done on it, according to the Chromium bugtracker.

Uploading to the Kindle Device from ChromeOS

Uploading from ChromeOS to a Kindle device is done in one of two ways: - Plug in Kindle over USB and copy a *.mobi file in it to the Kindle /documents/ directory using the ChromeOS File Manager - Install the Kindle Android app and an Android File Manager app. Once this is done, right-clicking on a *.mobi file will include the option of sharing/sending, and then select the Send to Kindle option.

Downloading from a Kindle device with ChromeOS

  • The simplest approach is to do so with a file manager (ChromeOS or Android) over USB.
  • Unfortunately sometimes there are several files rather than a single one, in which case downloading from the Amazon store Manage my Content and Devices section. Clicking on the three dots next to any given ebook (not including samples) includes the option Download and Transfer via USB.
Posted on

Crostini – Linux on ChromeOS

Once configuring Linux apps, a default debian 9 (stretch) container is created. The default login is username@penguin. From there: - sudo apt update - sudo apt upgrade

Notes

Things to do: modify boot drive (resize), mount new drive on external media and use for app installation, update fonts in that environment to improve Inkscape, GIMP, etc.

Posted on

ChromeOS – Apps, Config, Utilities

This is meant to help with the conversion from OSX to ChromeOS. For background on ChromeOS and Chromium, see chromium.org. See also a hardware discussion on Chromebooks, Chromebits, and Chromeboxes.

What Chromebooks Can't (Yet) Do

Note: the Crostini project means that a host of Linux apps and functionality can/will/may be on tap, which can affect a good number of the issues below. Time will tell.

Device-Specific Services

  • Printing has improved a lot, including direct-connected USB printers, but only a subset of printer drivers are available, when compared with Win/OSX and even Linux. However, using any computer with a Chrome browser can support Google Cloud Print, and act as a print server (even directly connected, non-ChromeOS driver-supported usb printers).
  • Scanning (unless part of a ChromeOS driver-supported all-in-one) are pretty much not supported.
  • Music: Connecting to and managing an Ipod device, say with Rhythmbox doesn't work on a Chromebook, unless an entire Gnome desktop is installed in a different Linux.
    • Other stand-alone, cross-platform ipod management tools include Floola and Yamipod. Floola works with a 4th gen ipod shuffle (select 3rd gen version on open).
    • Use of Google Play Music is an option, but quite unwieldy through browser upload and limited management tools on the Google Play Music site.
  • Calibre-like library, kindle management, and ebook editing tool. Granted Calibre is challenged on the interface, it is continually updated and has extensive functionality for library management.

Font Management

Media Editing

  • Possibly still limited regarding bitmap image editing (GIMP on Linux).
  • Video editing, while there are some apps and the like, the limited memory available on most Chromebooks (4gb) is probably the biggest sticking point.
  • Complex SVG and Bitmap images, as well as video is still largely best managed and produced on the desktop (namely, Linux) with Inkscape. See Linux Desktop - Apps, Config for more details on how that can provide application support above and beyond Chromebook. We are in a multi-OS world with mission-specific devices, operating systems, and the like. Regardless, we are seeing applications that are best of breed emerge in each of the platforms. Note - the recent work in Crostini (see below) could potentialy remove many of the problems noted above using Linux containers, at the least the media editing needs. See below for second note. Second Note - Most of the issues above can be worked around by the use of a dedicated system that would provide the functionality, specifically something like an Asus Vivostick PC, that can act as print server, scanner management, kindle/ebook management, ipod/music management.

Windows and Linux App Support

As of May 2018, there is some amount of Windows and Linux apps, along with Android App Store support. - Crossover ChromeOS - Run Windows inside Android - Basically Wine for Android - Google officially announces linux app support for ChromeOS - Containers of some kind

Arm and Intel - Crouton & Crostini

Though this may/likely will change, there is currently was a divide between the Arm chromebooks (e.g., Asus C101PA and others with the Rockchip) and the Intel chromebooks (e.g., Samsung Chromebook Pro, Google Pixelbook). The container technology Crostini is currently in beta for high-end Intel Chromebooks only (so far). The advantage of the Rockchip is cost and better performance with Android Apps. Another disadvantage is closed source. In fact the Asus C101PA uses the same board as the Samsung Chromebook Plus, which now supports Crostini.

Crostini

Crouton (Previous Approach)

When wanting to install Atom or VisualStudioCode, there are different approaches: - Arm chip, use Crouton and HeadMelted's distribution (along with Crouton Integration) - Intel chip, use Crostini and VisualStudioCode via Apt

Keyboard Shortcuts

  • Google's page on ChromeOS Shortcuts Note on keyboards without F-keys, on Chromebooks use Search + #
  • See all keyboard shortcuts: ctrl + alt + /
  • Refresh browser page: ctrl + shft + R
  • Printscreen (area): ctrl + shft + F5
  • Crosh Shell: ctrl + alt + T
  • Open item on shelf: ctrl + # (item number in order)
  • Dock a window to left/right: alt + [ / alt + ]
  • Open Files application: alt + shft + M
  • Task Manager: shft + esc

Remote SSH / SFTP

This can be done from a local shell, but for drag-and-drop sftp the best approach is a paid Android app Termius, which is about 1,000 THB/year. This is the only yearly subscription App I use, but it is worth it since it performs a critical function, is fast and stable, and the alternatives are painful, at best.

Enabling full Shell

To enable a full shell with root access, set into Developer mode: esc + refresh + power. After it reboots, ctrl + D. Everything does get removed, so if there is any data not in Google Drive (such as in ~/Downloads/) best to move it before attempting this. Note that scripts on a filesystem mounted noexec will need to be called explicitly, such as /bin/sh script. See more about poking around ChromeOS. Once full shell is enabled, simply do as follows:

Ctrl + Alt + T
shell
(if you need root, then...) sudo su

Note: highlight to copy, and right-click to paste

SSH on Crosh

SSH has been removed from Crosh, and instead is installed as an extension: - Secure Shell at Chrome Store Here is the documentation on this version of SSH However, I find that completely unnecessary. Instead, it is best to simply install the Chrome Brew package manager, and install everything else one would need -- including, in my case, autossh. There is also an extension that runs crosh in its own window, outside of a Chrome browser instance.

Crosh Commands

While we are at it, some built-in commands in Crosh:

-

Package Manager Chrome Brew (crew)

chromebrew is a handy package manager for ChromeOS. - curl -Ls git.io/vddgY | bash

Commands in Chrome Brew

  • crew install
  • crew remove
  • crew search
  • crew update
  • crew upgrade

Utilities for ChromeOS

Note that wget has been removed from ChromeOS. Instead use curl to get started.

crew install nano
crew install htop
crew install autossh
crew install psmisc
crew install mlocate
crew install ncdu
crew install iptables
crew install imagemagick7
crew install libjpeg
crew install optipng
crew install wget

Managing Offline (Local) Data

There are a few steps to free up space on a Chromebook. Unfortunately, Google Drive will appear to do offline syncing of all data that was put into it by the chromebook itself. It will do more than that (up to 5gb) if offline use is enabled in Google Drive. The key is to not use any offline drive/gmail apps, and not enable offline use. Regardless there will always be something (until the next powerwash).

chrome://drive-internals/
  • Click Clear local data Again, Google Drive will apparently (as of March, 2018) always keep in the Offline (local) folder, and/or sync up to 5gb of everything down to the chromebook. Some folks report needing to powerwash twice.

Sleep

Sometimes closing the lid on a Chromebook (which is also by definition impossible on a Chrombox, Chromebit, or Chromebase) doesn't invoke sleep mode. Better is to get the Crome Shell and invoke:

ctrl + alt + T
shell
powerd_dbus_suspend

Even better is the Suspend function with the keystroke: Shift + Search + L

ChromeOS File System

The ChromeOS File System is fairly robust and there are currently add-ons which extend it to Dropbox, etc. The File App is the native GUI to access the local file system and any mounted file systems. See also the ChromeOS directory structure. What I have not yet discovered (or given up home on) is command-line/shell access to Google Drive which would make executing certain scripts and doing file manipulations easier. In addition, there is still (August 2018) ongoing limitations between the Linux and Android environments relative to the local, Google Drive, and sdcard/usb device access. This is usually an issue regarding application configuration and development rather than across-the-board (except with Linux), since some apps can access other drive spaces.

Python Pip Environment

As per pip installation instructions

cd ~/Downloads
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python get-pip.py

Upgrade pip with pip install -U pip Install virtualenv with pip install virtualenv Then can install things like gmvault to backup gmail:

NEED MORE INFO HERE, problems with security and launching in protected mode

Video Editing

Video is a bit of a challenge on the Chromebook platform, but there are a few options, including online web apps, Android apps, and more robustly, an alternative installation of Linux dual or solo booting. There are additional options for video editing with Android apps, which seem better, though some only support a mobile device portrait display. The other challenge is to get an app that has a reasonable chance of not disappearing, on the one hand, and not costing increasing amounts of money, on the other, with the additional constraint of not being too simplistic, or too complex (and therefore confusing, time-wasting, and bug-ridden). - Timbre seems an ok choice for now, more bare bones editing than a full NLE.

Image Editing

Image editing for my humble needs means being able to make an image look better (color, exposure, etc. adjustments), cropping, and some kind of overlays. This really is mostly photos, etc., whereas text and design-based images are managed using .SVG editors (below). - Not sure yet what that might be...

SVG Editor - Gravit Designer

Thankfully there is one area that is well-covered, and that is Gravit Designer (and an additional tool, Klex, along with the Gravit Cloud). Originally at gravit.io, they've rebranded under designer.io and have apps for every platform: Linux, Mac, Windows, ChromeOS, and the Browser. - Gravit Designer - Gravit Blog - Gravit Tutorials (YouTube)

Additional ChromeOS and Android Apps

  • Outlook (Android) for email
  • OpenVPN Connect (Android) for VPN support (native is less flexible/functional)
  • FreeOTP (Android) for 2FA
  • Keepass2Android (Android) for password manager
  • AndrOpenOffice (Android) LibreOffice implementation (fantastic)
  • VidTrimPro (Android)
  • EasyVoiceRecorderPro (Android)
  • Telegram X (ChromeOS)

OpenVPN Configuration

Additional Software/Firmware Resources

Posted on

Linux Kernel on the March

As of early 2018, ChromeOS and Desktop Linux have both crossed the 3% threshold. Android is approaching 50% for OS market share, and is in excess of that in terms of new devices. Heady times for the Linux Kernel indeed. While Android uses the Linux Kernel, nearly everything else in Android is customized, and therefore it doesn't have any distribution linneage to speak of. ChromeOS is derrived from Gentoo Linux, a custom build linux distribution. As far as Desktop Linux, it is led by Ubuntu, a Debian-based distribution, Mint, an Ubuntu-based distribution, Debian itself, and Fedora, a member of the Amazon Linux/CentOS/Red Hat family. Server-side there is: Amazon Linux/CentOS/Red Hat, Debian/Ubuntu, and Suse. Arch Linux is also considered a popular Desktop/Server though it is hard to find stats that show this. Linux-based/derrived operating system interoperability is interesting and progressing, especially between ChromeOS and Android, as well as the possibility of support for running linux apps using Crostini on ChromeOS. Our guess is they will run inside the same kind of environment as Android apps.

Crouton Dual-Boot ChromeOS and Linux

This is an oldie but goodie, essentially running Linux in a chrooted environment on top of ChromeOS, pretty much how Android runs, I am guessing.

Firmware for intel Chromebooks

ARM not supported, but some nice coreboot/firmware at Mr. Chromebox.

Linux on Chromebooks

The main focus is on intel, which is where Linux has its expertise. A popular choice is GalliumOS, but the hardware requirements are limited to intel.

Rooted ChromeOS + Android Apps

The easiest approach for a bit more control and functionality is a combination of Developer Mode which provides root access, as well as Android Apps. Quite useful and not too much fiddling needed. See more about ChromeOS apps and configuration.

Posted on

Linux Desktop – Apps, Config

This is about linux desktop issues (as opposed to server), and mainly deals with desktop-style configuration. See this post about shell and command-line utilities and environments. - See also ChromeOS - Apps, Config, Utilities for the companion article on ChromeOS.

Apps to try in the Future

Android Apps

Apps and Utilities Not Available on ChromeOS

But can be run on Linux... - Calibre - Google Cloud Print Connector for directly connected/sharing Samsung ML-1860 - Rhythmbox for connecting/managing music and the ipod shuffle - Epson Perfection V33 Scanner

Standard Linux-supported Apps

Posted on

Amazon Linux First Steps

First steps after logging into an Amazon Linux box:

Set up the Name Services (DNS, Hostname) Properly

Note there are several places this needs to be set.

nano /etc/sysconfig/network-scripts/ifcfg-eth0

Make this look as follows:

DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Ethernet
USERCTL=yes
PEERDNS=no
DNS1=84.200.69.80
DNS2=84.200.70.40
DHCPV6C=yes
DHCPV6C_OPTIONS=-nw
PERSISTENT_DHCLIENT=yes
RES_OPTIONS="timeout:2 attempts:5"
DHCP_ARP_CHECK=no

Note that this fixes the general VPC settings issue especially for Lightsail. Next, configure /etc/resolv.conf

nano /etc/resolv.conf

Use this file:

options timeout:2 attempts:5
; configured an override of dhcp-settings in
; /etc/sysconfig/network-scripts/ifcfg-eth0
nameserver 84.200.69.80
nameserver 84.200.70.40

Uninstall Amazon Crap

Get rid of the Amazon SSM Agent and HIB Agent

sudo yum erase amazon-ssm-agent –y
sudo yum erase hibagent -y

Uninstall other Stuff

sudo yum erase portreserve -y

Configure NTP

Time services as follows

sudo yum -y install ntp
sudo service ntpd start
sudo chkconfig ntpd on

Note that to run manually, it is important to turn off the service, as follows:

sudo service ntpd stop
sudo ntpd -gq
sudo service ntpd start

Install and Configure Chrontabs

yum -y install crontabs
chkconfig crond on
service crond start
service crond status

More detail on setting up chron jobs

Configure Sendmail

Sendmail is installed (and running) by default. This should be configured to limit its attack surface.

Install some Utilities

yum -y install htop
yum install -y psmisc
yum install -y iotop
yum install -y mlocate
yum install -y lsof
yum -y install ncdu
yum install -y s3cmd
Posted on

.bashrc, .bash_profile, PATH on AMI

On a new Amazon Linux AMI installation, there is a useful ec2-user account configured. However, in order to make it more useful, there is a need to edit some .bashrc files, as well as create a new user for sftp and scp, as those will produce errors using login scripts that we will set for ec2-user. First off, know that .bashrc is the best thing to use since it functions when using sudo su and executes every time, vs. .bash_profile which (I think) does not. Second, both the ec2-user and root need .bashrc configurations, and my preference is that the first has sudo su invoked and runs right into root. Third, the sftp/scp user will need sudo rights added to the cloud-init file.

Steps to Adjust Login Environments

  • Edit .bashrc files for ec2-user and root
  • Create new user (for sftp/scp), grant rights, and deal with access keys

.bashrc for ec2-user

nano /home/ec2-user/.bashrc

Use this file

# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias lx='ls -la --color=auto'
alias rx='rm -rf'
alias ban='fail2ban-client set apache-badbots banip'
# Set the interrupt keystroke to ctrl-e
stty sane
stty intr ^E
# Pathing
PATH=$PATH:$HOME/bin:~/.local/bin:/usr/local/bin
export PATH
export EDITOR=nano
clear
echo ""
echo "************************************************"
echo "  NEW LOGIN PROCESSED - WELCOME TO server, $USER"
echo "************************************************"
echo ""
sudo su

.bashrc for root

nano /root/.bashrc

Use this file

# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
        . /etc/bashrc
fi
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias lx='ls -la --color=auto'
alias rx='rm -rf'
alias ban='fail2ban-client set apache-badbots banip'
PATH=$PATH:$HOME/bin:~/.local/bin:/usr/local/bin
export PATH
export EDITOR=nano
cd /root/temp
clear
echo ""
echo "************************************************"
echo "  NEW LOGIN PROCESSED - WELCOME TO server, $USER"
echo "************************************************"
echo ""
htop

Create New User and Grant Rights

Grant SUDO Rights

nano /etc/sudoers.d/cloud-init

duplicate the ec2-user rights for the new user

Adjust PATH

Edit the PATH in ~/.bash_profile

nano /root/.bash_profile

Use the following:

# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin:~/.local/bin:/usr/local/bin

Then load that profile

source ~/.bash_profile

Also add some helpful shortcuts lx and rx

nano /etc/profile

add to end of file:

alias lx='ls -la --color=auto'
alias rx='rm -rf'

User and SSH Cert

  • Download, move, and rename cert
chmod 400 ~/.ssh/key.pem
ssh -v -i ~/.ssh/key.pem ec2-user@host.domain.tld
sudo su
yum -y update
useradd newuser
passwd newuser
usermod -aG wheel newuser
su - newuser
mkdir .ssh
chmod 700 .ssh
exit
cp /home/ec2-user/.ssh/authorized_keys /home/newuser/.ssh/authorized_keys
chown newuser:newuser /home/newuser/.ssh/authorized_keys
nano /etc/sudoers.d/cloud-init

replace ec2-user with newuser