the empty quarter » administration

How to change SSH port number on Ubuntu server

martin — Fri, 03 Sep 2010 08:56:48 +0000

Changing the port number of SSH daemon is a quick way of reducing the number of SSH brute force attacks your server might face (check the file /var/log/auth.log to see if there are many failed SSH login attempts).

Just to be on the safe side, create a backup copy of the SSH daemon config file.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.vanilla
Edit the config file.
sudo vi /etc/ssh/sshd_config
Change the port number on the following line, e.g. to 2201 or some other unused port. Make sure you note down the port number.
Port 22
Restart the SSH daemon. You might get kicked out of your existing session.
sudo /etc/init.d/ssh restart
When you login next remember to include the correct port.
ssh youruser@yourserver -p 2201

BADSIG error in Ubuntu Update Manager

martin — Thu, 14 May 2009 15:56:29 +0000

Here are a few things you can try if you get the BADSIG error in Update Manager:

Run the following commands from terminal shell:
sudo apt-get clean sudo apt-get update -o Acquire::http::No-Cache=True
Change the Ubuntu server from which updates are downloaded: System > Software Sources > Ubuntu Software tab > change the selected server in the “Download from” dropdown.

Login as someone else

martin — Thu, 30 Apr 2009 16:03:38 +0000

Sometimes you may want to log in with a different user account in Terminal without logging out from your X session or switching to an unused virtual console. There are two different approaches to do this in Ubuntu: interestingly, it is possible without even knowing the other user’s password.

Approach 1: if you know the password of the other account ( is replaced with the account you want to log in as, e.g. bob or pinky or whatever):

su -l

Approach 2: if you don’t know their password. This only works if you have administrative privileges, i.e. your account is in the sudoers file. The password you are prompted for is your own one:

sudo -i -u

or even execute the command from our approach 1 with sudo:

sudo sh -c 'su -l '

Note: It goes without saying that you should behave responsibly and not abuse this to gain access to other user’s data.

Change Oracle XE web ports

martin — Tue, 21 Apr 2009 13:48:56 +0000

Oracle Database XE (Express Edition, sometimes also referred to as Apex) comes with an embedded web interface for administration. By default the HTTP port of this web interface is 8080. This can be checked by running the query below when logged in as system:

SQL> select dbms_xdb.gethttpport from dual;

In order to change the port number, run the following SQL (the port is changed to 8181 in the example below) and restart the database:

SQL> begin dbms_xdb.sethttpport('8181'); end; /

If you want to disable the HTTP access altogether, you can set the port number to 0.

There are also similar methods dbms_xdb.getftpport and dbms_xdb.setftpport, although I am not sure in what context FTP is used with Oracle XE. By default the port is 0, i.e. disabled.

This incident will be reported

martin — Tue, 21 Apr 2009 01:23:12 +0000

My recent misadventures with adding a group membership for my user and in the process managing to remove all other groups (including admin) got me thinking about the message “... is not in the sudoers file. This incident will be reported.” Exactly where and how and to whom is this reported?

Well, according to clever people on linuxquestions.org, the log file where unsuccessful sudo attempts are logged (as well as other things related to authentication) is /var/log/auth.log. The command below will show you just those entries for unsucessful sudo attempts:

grep "user NOT in sudoers" /var/log/auth.log

Note also that a new file is created once the log reaches a certain size, and older files are archived. So if you need to check properly you will also want to look into the archived files (listing from my old Xubuntu laptop shown below):

ls -l /var/log/auth.log* -rw-r----- 1 syslog adm 2319 2009-04-20 21:38 /var/log/auth.log -rw-r----- 1 syslog adm 68936 2009-04-20 06:33 /var/log/auth.log.0 -rw-r----- 1 syslog adm 3697 2009-04-13 06:17 /var/log/auth.log.1.gz -rw-r----- 1 syslog adm 1182 2009-04-04 10:17 /var/log/auth.log.2.gz -rw-r----- 1 syslog adm 2088 2009-03-26 19:04 /var/log/auth.log.3.gz

Securing SSH

martin — Mon, 20 Apr 2009 02:35:02 +0000

This article on The Register has a link to a very good page on CentOS website with tips on securing OpenSSH. The tips are applicable for all distros, not just CentOS, and are definitely worth going through and implementing if you have SSH enabled on your server.

Good luck and stay secure.

Add user to group with usermod

martin — Sat, 18 Apr 2009 10:12:30 +0000

Here is a very simple one which caught me out: you want to add your user to a group through command line. The command is very straightforward:

sudo usermod -aG tools hammer

This adds the user “hammer” to the group “tools”. Notice the -a switch (for add). This means “hammer” will become member of “tools” and keep his exiting group memberships. However, if you run the command without the -a switch:

sudo usermod -G tools hammer

Then “hammer” becomes member of “tools” (all well and good) but has lost its other group associations defined previously – including on Ubuntu the group “admin”. So that next time you log in (you need to log out and back in for the group memberships to be reflected properly) and try to run sudo something you get a nice message like so:

hammer is not in the sudoers file. This incident will be reported.

Luckily, I had another user with admin priviledges on the machine and so was able to add all the groups which I removed by mistake. In any case, I will now remember to include the -a option next time I run usermod to add user to a group!