Installing and removing services using rc.d

When installing stuff on your *nix box, you may want to have them automatically run upon startup, somewhat like a service. For that, you have the rc.d system that works with init based on your runlevel, and the Upstart system.

There are other places you can go to to learn about administering services with rc.d, or writing rc.d scripts. This post is just meant to be a basic overview/HOWTO on this topic.

A basic way to understand the init/rc.d system is that the /etc/init.d/ scripts do the managing of the “services” that you want, and the rc.d scripts run the relevant init.d scripts based on the runlevel you’re booting into.

$ runlevel
N 2

The output of the runlevel command will let you know which runlevel you are in (2 in this case). For that, we assume that the rc2.d scripts are run.

$ ls -l /etc/rc2.d/
total 4
lrwxrwxrwx 1 root root  13 2010-09-27 09:21 K50ntp -> ../init.d/ntp
-rw-r--r-- 1 root root 677 2011-04-19 15:11 README
lrwxrwxrwx 1 root root  26 2010-05-10 16:07 S20clamav-freshclam -> ../init.d/clamav-freshclam

Here’s an excerpt of the listing of the files in /etc/rc2.d/. You will see that there are links named starting with K, and others starting with S. The K ones are simply disabled (they don’t run when you enter that runlevel), and the S ones are enabled.

So…we assume that the relevant /etc/init.d/ script has been written/installed already, and here’s how you remove all links for a given service (pppd-dns in these examples).

$ sudo update-rc.d -f pppd-dns remove

 Removing any system startup links for /etc/init.d/pppd-dns ...
   /etc/rc1.d/S70pppd-dns
   /etc/rc2.d/S70pppd-dns
   /etc/rc3.d/S70pppd-dns
   /etc/rc4.d/S70pppd-dns
   /etc/rc5.d/S70pppd-dns

Showing that the pppd-dns service attempts to install itself into runlevels 1, 2, 3, 4 and 5 where possible.

$ head /etc/init.d/pppd-dns

#!/bin/sh -e
### BEGIN INIT INFO
# Provides:          pppd-dns
# Required-Start:    $local_fs gdm
# Required-Stop:
# Default-Start:     1 2 3 4 5
# Default-Stop:
# Short-Description: Restore resolv.conf if the system crashed.
### END INIT INFO

And…here’s how you install the service based on the configured settings in the /etc/init.d/pppd-dns file:

$ sudo update-rc.d pppd-dns defaults

update-rc.d: warning: pppd-dns start runlevel arguments (2 3 4 5) do not match LSB Default-Start values (1 2 3 4 5)
update-rc.d: warning: pppd-dns stop runlevel arguments (0 1 6) do not match LSB Default-Stop values (none)
 Adding system startup for /etc/init.d/pppd-dns ...
   /etc/rc0.d/K20pppd-dns -> ../init.d/pppd-dns
   /etc/rc1.d/K20pppd-dns -> ../init.d/pppd-dns
   /etc/rc2.d/S20pppd-dns -> ../init.d/pppd-dns
   /etc/rc3.d/S20pppd-dns -> ../init.d/pppd-dns
   /etc/rc4.d/S20pppd-dns -> ../init.d/pppd-dns
   /etc/rc5.d/S20pppd-dns -> ../init.d/pppd-dns
   /etc/rc6.d/K20pppd-dns -> ../init.d/pppd-dns

HTH.

L2TP (Ubuntu) server setup for iOS clients

For you road warriors who wish to set up their own VPN to secure their traffic when using any untrusted/unprotected networks (“free” WiFi?) when travelling, this would be the thing you use: a trusted VPN setup.

While I did dabble with OpenVPN sometime back, protocols like L2TP would be more commonly supported, especially on the “venerable” iOS device (iPhone, iPod Touch, iPad), and on Windoze machines, Android, etc.

This post will be on what you’ll need to setup a L2TP server in Ubuntu for iOS devices to connect to. The server is assumed to be directly accessible from the internet. Some of the stuff are taken from other places, for my own reference here. There’s also a great write up on IPsec over at Steve Friedl’s Unixwiz.net Tech Tips site, for you geeks who actually want to understand a little regarding what you’re using (high five!).

The L2TP server setup mainly comprises of three parts actually (surprise!). The L2TP daemon, IPsec daemon and the PPP daemon (providing DHCP services).

Main steps:

1. install openswan (for IPsec), xl2tpd (L2TP) and ppp
2. configure
3. configure the (Linux) kernel to turn on IP forwarding, and IP masquerading if the iptables firewall is on
4. configure the device itself
5. take a break, have a pina colada or something
6. profit!

Continue reading L2TP (Ubuntu) server setup for iOS clients →

Linux Login Detection Redux

Have almost forgotten how fun it is to mess around with a Linux server. Building another Linux server did indeed bring back some memories 😛

This is another scratchpad post: little to no explanation/breakdown on the script involved (unless there’s the “impetus” to elaborate in future). Feel free to ask/discuss in the comments section below though.

Any user who logs in should trigger the sending of the notification email from the server immediately, and if it wasn’t an expected login, well at least you’d know it’s time to trigger some incident response processes.

As an improved version of the old post on the same topic, this script similarly is to be appended to /etc/profile or the relevant ~/.bash_profile per user.

echo -e "$(hostname) shell access\n$(date)\n$(who)\n\
$(for i in $(who|cut -d"(" -f2|cut -d")" -f1|cut -d":" -f1|sort -u);
do echo -e "==========\nwhois $i"; whois $i;
echo -e "\n=====\nreverse $i"; dig -x $i;
done;)" | \
mail -s "$(hostname) alert: shell access from \
$(who|cut -d"(" -f2|cut -d")" -f1|cut -d":" -f1|tr "\n" " ")" \
'youremail@domain.com'

Changes namely are the adding of whois and reverse IP (DNS PTR) lookups for all IP addresses currently logged on via SSH, and also the use of the more readable $() Bash command substitution expansion rather than the backtick (`).

You will need to have installed the mailutils package (apt-get install mailutils), and probably a MTA like postfix or exim too.

HTH.

Edit 30 Apr 2012: small bug fix in the sequence to extract all IPs from the who command output.