Category Archives: ubuntu server

Install Dropbox on Ubuntu Server

Dropbox is so useful! Wouldn’t it be great to have that same convenience and function for your user account on your server, just like you have on your workstation?

This has been tested on Ubuntu Lucid and Jaunty. This procedure will create a system with:

  • Install a separate Dropbox client (daemon) for individual users
  • Each user has a separate Dropbox account
  • All the daemons will be managed together with normal daemon controls

This allows individuals to have their own Dropbox accounts, each with a separate process syncing their individual ~/Dropbox directory. With one command an admin can start or stop all the daemons at once.

Install Prerequisites

Later, we’ll need to read a sqlite3 database record, so install sqlite3.

sudo aptitude -y install sqlite3

Install Dropbox client for an individual user

This step is repeated for each user that wants a Dropbox client. Start by setting up your own account, then repeat for each user. This is run with a user’s own account. The changes made all take place in their home directory.

First, determine whether you have 32-bit or 64-bit Ubuntu Server. You must install the correct version, either 32 or 64 bit or it will not work. The following command will tell you which is installed:

uname -a | grep '_64' >/dev/null && echo 'A 64-bit OS is installed'; uname -a | grep '_64' >/dev/null || echo 'A 32-bit OS is installed'

Run the correct installation, based on whether a 32-bit or 64-bit OS is installed.

32-bit installation:

cd ~
wget -O dropbox.tar.gz http://www.dropbox.com/download/?plat=lnx.x86
tar -zxof dropbox.tar.gz

or

64-bit installation:

cd ~
wget -O dropbox.tar.gz http://www.dropbox.com/download/?plat=lnx.x86_64
tar -zxof dropbox.tar.gz

Link user’s Dropbox client to their Dropbox account:

wget http://dl.dropbox.com/u/6995/dbmakefakelib.py
python dbmakefakelib.py

The above will run for a little while without printing anything, then print “dropboxd ran for 15 seconds without quitting – success?”. When it does so, press control-c twice. Yes, it is unusual. What this does is populate a sqlite3 database with an ID from the Dropbox server. Next, we’ll extract that code and use it to link your Dropbox user account with this CLI Dropbox client instance.

On the server, via SSH

Get the URL with:

echo https://www.dropbox.com/cli_link?host_id=`echo '.dump config' | sqlite3 ~/.dropbox/dropbox.db | grep host_id | cut -d \' -f 4 | python -c 'print raw_input().decode("base64")' | grep '^V' | cut -b 2-`

On your local machine, in a web browser

Copy the URL that the above printed and paste it into a web browser. When you do so, Dropbox will register your client on the server with your Dropbox account.

At this point, Dropbox will not be quite working yet. The next steps will take care of that.

Create Dropbox daemon control

The next task is to create a system to start and stop the dropbox daemon for each user on the system that has Dropbox installed for his/her user account. The following daemon init script was lifted from: http://wiki.dropbox.com/TipsAndTricks/TextBasedLinuxInstall.

Of course, this is for the use of the system admin. This creates a normal daemon init start/stop script and installs it so the Dropbox daemons are started when the system boots. The admin can also use this to control the Dropbox daemons manually.

sudo vi /etc/init.d/dropbox

Paste in the following code. Then, modify line 3, replacing “user1 user2″ with your username. For future reference, additional user’s Dropbox daemons can be controlled with this one script – add additional username separated with spaces.

# dropbox service
# separate usernames in the following line with spaces.
DROPBOX_USERS="user1 user2"
 
DAEMON=.dropbox-dist/dropbox
 
start() {
    echo "Starting dropbox..."
    for dbuser in $DROPBOX_USERS; do
        HOMEDIR=`getent passwd $dbuser | cut -d: -f6`
        if [ -x $HOMEDIR/$DAEMON ]; then
            HOME="$HOMEDIR" start-stop-daemon -b -o -c $dbuser -S -u $dbuser -x $HOMEDIR/$DAEMON
        fi
    done
}
 
stop() {
    echo "Stopping dropbox..."
    for dbuser in $DROPBOX_USERS; do
        HOMEDIR=`getent passwd $dbuser | cut -d: -f6`
        if [ -x $HOMEDIR/$DAEMON ]; then
            start-stop-daemon -o -c $dbuser -K -u $dbuser -x $HOMEDIR/$DAEMON
        fi
    done
}
 
status() {
    for dbuser in $DROPBOX_USERS; do
        dbpid=`pgrep -u $dbuser dropbox`
        if [ -z $dbpid ] ; then
            echo "dropboxd for USER $dbuser: not running."
        else
            echo "dropboxd for USER $dbuser: running (pid $dbpid)"
        fi
    done
}

case "$1" in
  start)
    start
    ;;
 
  stop)
    stop
    ;;
 
  restart|reload|force-reload)
    stop
    start
    ;;
 
  status)
    status
    ;;
 
  *)
    echo "Usage: /etc/init.d/dropbox {start|stop|reload|force-reload|restart|status}"
    exit 1
 
esac
 
exit 0

Make the init script executable and restart the daemon:

sudo chmod +x /etc/init.d/dropbox
sudo /etc/init.d/dropbox restart

When you restart the daemon, it will be running correctly linked to your Dropbox account. It will create a Dropbox directory in your home directory and will start to populate it with files you have on Dropbox.

Have the daemon(s) run automatically at boot time:

sudo update-rc.d dropbox defaults

The above correctly copies links as needed so the daemon(s) start when the server boots.

Managing the Daemons

A separate daemon will be run for each user that has the Dropbox client installed – with only one command. This makes it easy for individual users to have separate Dropbox accounts, each syncing to ~/Dropbox for their user account. Here are the commands to manage these daemons:

Start Dropbox services for all users:

sudo /etc/init.d/dropbox start

Stop Dropbox services for all users:

sudo /etc/init.d/dropbox stop

Restart Dropbox services for all users:

sudo /etc/init.d/dropbox restart

Get service status for each user Dropbox service:

sudo /etc/init.d/dropbox status

Passive Mode (PASV) FTP client on an Ubuntu server

If you need to communicate from your Ubuntu server to an FTP server that requires passive mode, there is a problem: your firewall likely blocks communication. Using an FTP client manually, you can probably connect with the server, but not list or transfer files!

The reasons for this are straightforward, your system is operating exactly as it is configured to. The explanation requires a little understanding of FTP and firewalls.

Most IP protocols use one port on the local machine and port on the server being connected to. FTP happens to use two ports instead of one. When negotiating a connection, the two computers negotiate which port to send data to. This brings us to an important difference between the two modes:

  • In active mode FTP, the client sends the server a PORT command, which tells the server client which port to use for data. The client connects to the server.
  • In passive more, the client sends the server a PASV command that asks for a server port to use for data. The server connects with the client.

The tricky bits concern this second port that is negotiated. This port is not a fixed number, it is a dynamically allocated port above 1023. The port number is encoded in a packet as two numbers that need to be multiplied together to get the port number. The firewalls involved need to be smart enough to recognize the FTP negotiation and extract this data from the data, open that specified port and keep it open during the FTP session.

In active mode, this tricky bit is handled by the server, but in passive mode, it is handled by the client’s firewall! Ah ha! So, you need to configure your firewall to be smart about address translation and FTP connections.

Configuring the firewall

You will need to activate a couple of kernel modules for iptables. These will turn on NAT (network address translation) for FTP and FTP connection tracking. As iptables/Netfilter is part of the kernel, we need to use modprobe to add these to the current session and also make changes to /etc/modules so the modules will load next time the server is rebooted.

First, use modprobe to use these two modules now:

sudo modprobe ip_nat_ftp
sudo modprobe ip_conntrack_ftp

Then, modify /etc/modules so the modules will load on next reboot:

sudo vi /etc/modules

Add these lines:

ip_nat_ftp
ip_conntrack_ftp

With these two modules, you should now be able to use passive mode from an FTP client on your Ubuntu server.

Ubuntu UFW Uncomplicated Firewall Examples

See also: Securing an Ubuntu Server

UFW community documentation: https://help.ubuntu.com/community/UFW

UFW server documentation: https://help.ubuntu.com/10.04/serverguide/C/firewall.html

UFW page: https://wiki.ubuntu.com/UncomplicatedFirewall

Implementing a basic firewall on your Ubuntu server is simple.

UFW (Uncomplicated Firewall) is a simple configurator for Netfilter, the packet filtering system that is built into the Linux kernel. This will then filter IP packets that arrive at the server by port number. Port numbers are nothing magical, just an integer in the packet header that gets mapped to a service, like your web server. All the packets arriving with a certain port number are mapped to a service.

By default, when you turn on UFW, everything is filtered. Then, with very simple commands, you set rules to allow just the services you are providing. If you are just providing a web server, you would allow only the port needed for that.

Turning UFW on

By default, UFW is turned off. To turn it on:

sudo ufw enable

That is all there is to it. UFW is now running. When your system reboots, UFW will be started automatically.

Allowing SSH

By default, SSH uses port 22. Of course, you can configure OpenSSH to use a different port number…then open that port instead of 22.

sudo ufw allow 22

…or you can use the service name instead of the port number:

sudo ufw allow ssh

…or you can use the service application name instead of the port number:

sudo ufw allow OpenSSH

To get a list of service applications:

sudo ufw app list

The concept to retain is that rules can be set with a port number (22) or service name (ssh) or application name (OpenSSH).

Allowing Apache

By default, HTTP severs use port 80.

sudo ufw allow 80

…or you can use the service name instead of the port number:

sudo ufw allow http

…or you can use the service application name instead of the port number:

sudo ufw allow Apache

View status

To see the current status of UFW on your server:

sudo ufw status verbose

Example output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere

A little more

The /etc/services (text) file is used to map service names to port numbers. This can be used to find out which ports are mapped to which services. The vast majority of the designations in this file are not implemented on a given system. This file’s main purpose is to allow service applications (programs) to get the port number to use for a service being provided.

Rules can be set with any of the following:

  • port number
  • service name
  • application name

List names service names

cat /etc/services

List available application names

sudo ufw app list

List implemented services and assigned ports

sudo lsof -i -nP

List active network connections

sudo netstat -p

UFW Help

Enter:

sudo ufw help

Help output:


Usage: ufw COMMAND

Commands:
 enable                          enables the firewall
 disable                         disables the firewall
 default ARG                     set default policy
 logging LEVEL                   set logging to LEVEL
 allow ARGS                      add allow rule
 deny ARGS                       add deny rule
 reject ARGS                     add reject rule
 limit ARGS                      add limit rule
 delete RULE|NUM                 delete RULE
 insert NUM RULE                 insert RULE at NUM
 reset                           reset firewall
 status                          show firewall status
 status numbered                 show firewall status as numbered list of RULES
 status verbose                  show verbose firewall status
 show ARG                        show firewall report
 version                         display version information

Application profile commands:
 app list                        list application profiles
 app info PROFILE                show information on PROFILE
 app update PROFILE              update PROFILE
 app default ARG                 set default application policy

Installing Net::Amazon::S3 Perl module on an Ubuntu server

The following is the same on recent Ubuntu releases, including Karmic, Lucid and Maverick.

What will not work

There seems to be a problem if you install Net::Amazon::S3 from CPAN. This will not work:

sudo cpan Net::Amazon::S3

Just about every dependency in the world installs, but fails in the home stretch when XML::LibXML::XPathContext and XML::LibXML fail to install.

What will work

sudo aptitude install libnet-amazon-s3-perl
sudo cpan Net::Amazon::S3::Client

Test your install with this

After throwing some data into S3 with S3Fox, test your installation. You will need to set values for aws_access_key_id and aws_secret_access_key, of course.

#!/usr/bin/perl
use warnings;
use strict;
use Net::Amazon::S3;
use Net::Amazon::S3::Client;

my %s3_hash = (
				aws_access_key_id     => "XXXXXXXXXXXXXXXXX",
				aws_secret_access_key => "YYYYYYYYYYYYYYYYYYYYYYYYYY",
				retry                 => 1,
);

my $s3 = Net::Amazon::S3->new( \%s3_hash );
my $client = Net::Amazon::S3::Client->new( s3 => $s3 );

my @buckets = $client->buckets;
foreach my $bucket (@buckets) {
	print $bucket->name . "\n";
}