Yesterday the wonderful Howtoforge had an article that finally freed me from my beloved/hated scponly. MySecureShell offers all the functionality of a proper SFTP server, easily configurable and very well integrated.

To get it up and running on Debian, just download the latest *.deb version from Sourceforge.
Then install it with the following command:
dpkg -i mysecureshell_0.95_i386.deb

Now for every SFTP user you want on your system just do the following (substitute ‘test’ with your desired username).
Add a normal user to your system:
adduser test
Open the file /etc/passwd and change the user’s shell from /bin/bash to /bin/MySecureShell. The line then should look something like this:
test:1111:1111::/home/test:/bin/MySecureShell
Alas, you have a chrooted SFTP only user, without the clutter of numerous additional directories for the chroot. Simple and elegant 🙂

The last step is to have a look through the config file in /etc/ssh/sftp_config, it’s pretty well documented!

This is a quick HowTo for installing the eAccelerator PHP cache/optimizer on a Debian system (should be applicable to other Linux distros as well).

  1. Download the latest release from SourceForge.net to your server and extract the sources.
  2. Change to the sources directory and type in the following.
    export PHP_PREFIX="/usr"
    $PHP_PREFIX/bin/phpize
    ./configure --enable-eaccelerator=shared --with-php-config=$PHP_PREFIX/bin/php-config

    This should set up the environment and compile configuration correctly.
  3. Now compile with make and install with make install (as root) afterwards.
  4. To configure eAccelerator you have to edit your PHP config which resides in /etc/php4/apache2/php.ini on my system.
    Add the following lines at the end: extension="eaccelerator.so"
    eaccelerator.shm_size="16"
    eaccelerator.cache_dir="/tmp/eaccelerator"
    eaccelerator.enable="1"
    eaccelerator.optimizer="1"
    eaccelerator.check_mtime="1"
    eaccelerator.debug="0"
    eaccelerator.filter=""
    eaccelerator.shm_max="0"
    eaccelerator.shm_ttl="0"
    eaccelerator.shm_prune_period="0"
    eaccelerator.shm_only="0"
    eaccelerator.compress="1"
    eaccelerator.compress_level="9"

    The file README in the sources directory gives a pretty good explanation of all those parameters. The only one you should probably alter is the shm.size because 16MB of shared memory might be a little bit too conservative.
  5. Last step is to create the directory where eAccelerator stores the cached scripts which don’t fit into the shared memory. mkdir /tmp/eaccelerator
    chmod 0777 /tmp/eaccelerator

Now you’re done. Further tweaking can be accomplished by altering all the parameters in the php.ini file.

For a long time I wanted to be able to run both PHP 4 and PHP 5 on the same server. Now I finally managed to come up with a solution that is easy to install and easy to use.

  1. Add the Debian Backports repository to your /etc/apt/sources.list
    deb http://www.backports.org/debian/ sarge-backports main contrib non-free
  2. Issue a package update: aptitude update
  3. Install PHP 5 as CGI module: aptitude install php5-cgi
  4. Configure Apache by adding the following lines to your main config file. In my case this was /etc/apache2/apache2.conf
    ScriptAlias /php5-cgi /usr/lib/cgi-bin/php5
    Action php5-cgi /php5-cgi
  5. Now find the Virtual Host you want to run on PHP 5 and simply put the following line into the <Directory> directive.
    AddHandler php5-cgi .php
    This overrides the default handler for files ending in .php which would be the normal PHP 4 module. Whit this directive it is now parsed and executed by the PHP 5 CGI binary.
  6. Reload your webserver config with
    /etc/init.d/apache2 reload

Tunnelblick

A few month ago I started to look at OpenVPN which has a very good GUI for the Mac called “Tunnelblick“. After I managed to set it up on my server I thought why not share my home directory via the VPN tunnel and mount it on my Desktop. It should be fairly usable, providet I’ve got sufficient net connection on my end, since my server has a 100MBit internet line. So I set up Samba and let it listen only on the VPN interface.
The following is a quick step-by-step how-to on setting up such a setup 🙂

Install OpenVPN on your server
Donwload the latest source from http://openvpn.net/download.html
Unpack it and run the usual commands:
./configure
make
make install

Then do some testing:
make check
If it all works fine, you’re good to go.
The other possibility is of course to install it from a package your distribution provides you, in my case this is handled by apt (aptitude install openvpn) which has the advantage of setting up init scripts so the VPN is startet at system boot and taking care that the whole environment on the server is suitable.

Configure OpenVPN on your server
We’re gonna work with a pre shared static key here because it is easier to set up and provides enough security for home use.
My config file on the server side looks as simple as following (/etc/openvpn/home.conf):
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key

This tells OpenVPN to start a new VPN on the “tun” device with the IP of 10.8.0.1 using the key named “static.key”. The rest are some tweaking commands which should be pretty self explanatory.

Now we only need the static key.
We can construct one by putting in the following command:
openvpn --genkey --secret static.key
The static key file is formated in ASCII and should be kept very private. Send one copy to the computer you would like to connect to your server and keep the other copy besides your config file on your server.

Install and set-up Samba
Next you need to install Samba. I again took the Debian way via “aptitude install samba”. Then I tweaked the standard setup to export the user’s home directories and listen only on the VPN interface and not the normal one.
interfaces = lo, 10.0.0.0/8
bind interfaces only = Yes

[homes]
comment = Home Directories
browseable = yes
writable = yes
create mask = 0775
directory mask = 0775

The rest of the smb.conf file can be pretty much left alone.

Start openvpn and samba
Provided you installed it via your packaging system or set up the init scripts yourself you can now start the two programs by typing in “/etc/init.d/openvpn start” and “/etc/init.d/samba start” (or wherever your distri keeps it’s init scripts).
If the two started up ok, you’re done on the server side.
Time to move on to the client.

Install Tunnelblick
Download it from www.tunnelblick.net, mount the Disk Image and double click on “Tunnelblick-Complete.mpkg” which installs all the necessary drivers and software packages. Now you should have a Tunnelblick icon in your Applications folder.
When starting the program for the first time, it will well you that there is no configuration file present and will offer you a sample configuration.
Simply replace the sample configuration with the following:
remote IP_OR_DOMAIN_OF_YOUR_SERVER
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key

As the last step you have to put the file “static.key” that you obtained from your server earlier in ~/Library/openvpn (this is where your config resides as well).
This should be it. Click on the Tunnel entrance symbol to the left of your Spotlight icon and choose your config, after a short moment the connection will be present.

The last thing to do is to mount your home directory.
Press CMD+K in the Finder (or go to “Go -> Connect to Server” in the Menu) and type in the following:
smb://user@10.8.0.1/user
substituting “user” with your username on the server. After that a new icon should appear on your desktop containing all the files you have in your home directory on your server 🙂

MotionI recently installed a simple video surveillance system at a facility I work.

The main goal is to know who (and when) entered our server room. Currently the setup features a tiny Philips USB cam connected to a Linux server (running Debian Sarge). At a later Stage this webcam will be replaced by a proper network camera (or even several cameras).

The software I used is called Motion – a relatively easy to set up video surveillance system that does motion detection (…and much, much more). Motion detection is ideal for my purpose because the room is normally completely dark unless somebody enters it and switches on the light.

Now every time somebody comes in, a short video is produced and saved on our server. I made a web accessible filesystem alias to the video directory, so I could check whether there was new footage available. This process was not automated enough for me, so I slapped together a short (und ugly) PHP script that takes the contents of the video directory and delivers it as a RSS feed that I can now subscribe to with my news reader.

The script is available at the Motion WIKI and can also be downloaded from there.

[Update:]
Some photos of the former chaos in our server room and it’s extinction can be viewed here.

special thanks to Herbert for having the idea 😉