發佈於

Cubie Truck 測試 – 取消 Ubuntu Server 自動登入

Cubie Truck Ubuntu Server 這一個版本讓我感覺最特別的地方,就是系統開完機之後,會自動以 root 登入,雖然在測試時很方便,但如果要實際上線使用時,這是一個很大的安全問題。
前思後想了很久,都想不出這是怎麼做到的,使用 Google 在網路上搜尋了很久,找到的大部分都是在 XWindow 下的自動登入,只有找到下面這幾篇文章,是比較有可能的做法:
linux(centos/ubuntu)下实现root用户无密码自动登录- 92wiki linux php hdwiki 编程 技巧 方法
How to enable root autologin without password in linux(centos 6.2) – Blog – 92wiki.com
How do I auto-login as root into the TTY upon boot? – Ask Ubuntu

但詳細比對起來,全都不是,後來改搜尋 cubie truck root auto login,  終於在這一篇文章中,找到了解答:
散人日誌: Cubietruck lubuntu server版 自動登入root

處理方式:
# sed -i ‘s/exec/#exec/’ /bin/auto-root-login

重新啟動電腦即可生效
# reboot[@more@]相關設定檔
# cat /etc/init/openvt.conf
#
# Author: Steve Langasek <steve.langasek@linaro.org>
# License: see debian/copyright
#

start on started tty1
stop on runlevel [!2345]

respawn
pre-start script
  if status tty1 | grep -q start/; then
    stop tty1
  fi
end script
exec /bin/openvt -e -c 1 -f — /bin/auto-root-login

# cat /etc/default/autogetty
# here you can provide what to run instead of /bin/login
AUTOGETTY_ARGS=”-n -l /bin/auto-root-login”

# Should autogetty be enabled?
ENABLED=1

發佈於

Cubie Truck 測試 – Ubuntu Server 使用無線網路

檢查是否有載入相關模組
# lsmod  | grep bcmdhd
bcmdhd                598843  0

如果沒有的話
# echo bcmdhd >> /etc/modules

修改無線網路卡設定檔
# vim /etc/network/interfaces
auto wlan0
iface wlan0 inet dhcp
pre-up ip link set wlan0 up
pre-up iwconfig wlan0 essid “CHTN_T07AW”
wpa-ssid “CHTN_T07AW”
wpa-psk 123456789[@more@]
重新啟動網路
# ifconfig wlan0 down
# ifconfig wlan0 up
# /etc/init.d/networking restart

檢查無線網路組態
# ifconfig wlan0
wlan0     Link encap:Ethernet  HWaddr 98:3b:16:1e:67:d8
          inet addr:10.0.1.6  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::9a3b:16ff:fe1e:67d8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:250 errors:0 dropped:0 overruns:0 frame:0
          TX packets:118 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:26007 (26.0 KB)  TX bytes:15118 (15.1 KB)

測試無線網路,先關閉有線網路
# ifconfig eth0 down

測試網路,發現無法連線
# ping -c 4 140.111.66.1
connect: Network is unreachable

檢查路由
# route -n
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 wlan0

增加路由
# route add default gw 10.0.1.1

檢查路由
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.1.1        0.0.0.0         UG    0      0        0 wlan0
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 wlan0

測試網路
# ping -c 4 140.111.66.1
PING 140.111.66.1 (140.111.66.1) 56(84) bytes of data.
64 bytes from 140.111.66.1: icmp_seq=1 ttl=53 time=20.1 ms
64 bytes from 140.111.66.1: icmp_seq=2 ttl=53 time=17.7 ms
64 bytes from 140.111.66.1: icmp_seq=3 ttl=53 time=26.6 ms
64 bytes from 140.111.66.1: icmp_seq=4 ttl=53 time=26.0 ms

— 140.111.66.1 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 17.703/22.627/26.661/3.828 ms

啟動原先的 eth0
# ifconfig eth0 up

復原原先路由
# route add default gw 192.168.1.254
# route del default gw 10.0.1.1

檢查路由
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 wlan0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

發佈於

Cubie Truck 測試 – 安裝 Ubuntu Server

下載網址:
http://dl.cubieboard.org/software/a20-cubietruck/lubuntu/ct-lubuntu-nand-v2.0/server/

比較特別的是:
1. 這一個版本開機後在 Console 端,自動會以 root 登入[@more@]

2. 這一個版本已經預先安裝並啟動 Apache + MySQL + PHP
# netstat -antulp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      745/mysqld
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      656/sshd
tcp        0     52 192.168.1.105:22        192.168.1.6:3349        ESTABLISHED 1035/0
tcp6       0      0 :::80                   :::*                    LISTEN      784/apache2
tcp6       0      0 :::22                   :::*                    LISTEN      656/sshd

3. Ubuntu Server 版本是 14.04
Welcome to Linaro 14.04 (GNU/Linux 3.4.79 armv7l)

 * Documentation:  https://wiki.linaro.org/

# lsb_release -a
No LSB modules are available.
Distributor ID: Linaro
Description:    Linaro 14.04
Release:        14.04
Codename:       trusty

4. 系統已經預先擴展 root 分割區到 8G,但因為這一片 Cubie Truck 是 16G
    所以擴展 root 分割區到 16G
# nand-part -f a20 /dev/nand 32768 ‘boot 131072’ ‘rootfs 30769152’ 
# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/root        15G  769M   14G   6% /
devtmpfs        889M  4.0K  889M   1% /dev
none            4.0K     0  4.0K   0% /sys/fs/cgroup
tmpfs            20M     0   20M   0% /tmp
none            197M  288K  197M   1% /run
none            5.0M     0  5.0M   0% /run/lock
none            985M     0  985M   0% /run/shm
none            100M     0  100M   0% /run/user

設定 MySQL Server
# /usr/bin/mysql_secure_installation

發佈於

Cubie Truck 測試 – Arch Linux 安裝 OpenVPN Server

參考網頁:
OpenVPN – ArchWiki
Create a Public Key Infrastructure Using the easy-rsa Scripts – ArchWiki
頭城國小資訊組 | Banana Pi 測試 – Bananian 篇 安裝 OpenVPN Server

安裝 OpenVPN
# pacman -S openvpn easy-rsa

複製範例的設定檔到 /etc/openvpn 目錄
# cp -r /usr/share/easy-rsa /etc/openvpn

修改憑證預設資訊
# sed -i ‘s/KEY_COUNTRY=”US”/KEY_COUNTRY=”TW”/’ /etc/openvpn/easy-rsa/vars
# sed -i ‘s/KEY_PROVINCE=”CA”/KEY_PROVINCE=”Taiwan”/’ /etc/openvpn/easy-rsa/vars
# sed -i ‘s/KEY_CITY=”SanFrancisco”/KEY_CITY=”E-Land”/’ /etc/openvpn/easy-rsa/vars
# sed -i ‘s/KEY_ORG=”Fort-Funston”/KEY_ORG=”Home”/’ /etc/openvpn/easy-rsa/vars
[@more@]
切換目錄 /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa

開始建立憑證
# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

清空舊有憑證
# ./clean-all

建立所需憑證
# ./build-ca
# ./build-key-server CubieTruck
# ./build-dh
# ./build-key Cubier

產生 ta.key
# openvpn –genkey –secret /etc/openvpn/easy-rsa/keys/ta.key

切換到 /etc/openvpn/easy-rsa/keys 目錄
# cd /etc/openvpn/easy-rsa/keys

複製 Server 端的檔案到 /etc/openvpn
# cp ta.key ca.crt ca.key dh2048.pem CubieTruck.crt CubieTruck.key /etc/openvpn

建立用來存放 Client 端所須檔案的目錄
# mkdir $HOME/openvpn-client-files
複製 Client 端所須檔案
# cp ca.crt Cubier.crt Cubier.key $HOME/openvpn-client-files

更改檔案名稱
# mv $HOME/openvpn-client-files/ca.crt $HOME/openvpn-client-files/capi.crt
更改檔案權限
# chmod +r $HOME/openvpn-client-files/Cubier.key

建立 /etc/openvpn/server.conf 設定檔
# vim /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
;; Key File 設定
dh /etc/openvpn/dh2048.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/CubieTruck.crt
key /etc/openvpn/CubieTruck.key
tls-auth /etc/openvpn/ta.key 0
;; vpn 使用網段
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
;; 允許 client 間互相連接
;client-to-client
push “redirect-gateway def1”
;; DNS 設定
push “dhcp-option DNS 168.95.1.1”
push “dhcp-option DNS 140.111.66.1”
keepalive 5 30
;; 最大使用者量
max-clients 12
user nobody
group nobody

測試 /etc/openvpn/server.conf 設定檔語法是否正確
# openvpn /etc/openvpn/server.conf

防火牆上的設定,如果原本就有防火牆,就要將規則做整合
# vim /etc/firewall.vpn
#!/bin/bash
# Enable ip_forward
echo “1” > /proc/sys/net/ipv4/ip_forward
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s “10.8.0.0/24” -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s “10.8.0.0/24” -j MASQUERADE

更改檔案權限
# chmod 700 /etc/firewall.vpn

設定開機時執行
/etc/rc.local 檔案最後面加入執行防火牆規則的設定
# sed -i ‘$a # OpenVPN 防火牆nsh /etc/firewall.vpn’ /etc/rc.local

執行 OpenVPN Server
# systemctl start openvpn@server.service

設定開機時執行 OpenVPN Server
# systemctl enable openvpn@server.service

檢查 OpenVPN Server 執行狀態
# systemctl status openvpn@server.service

檢查 OpenVPN Server 是否有正常執行
# netstat -antpul | grep openvpn
tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN      3682/openvpn

tun0 介面資訊
# ip addr show tun0
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

解決出現 Failed to read PID from file /run/openvpn@server.pid: Invalid argument 的訊息
# chown nobody:nobody /var/run/openvpn@server.pid

發佈於

Cubie Truck 測試 – ArchLinux 成為無線 AP

參考網頁:
dhcpd – ArchWiki

安裝 hostapd
# pacman -S hostapd

安裝 DHCP Server
# pacman -S dhcp

備份原設定檔
# mv /etc/dhcpd.conf /etc/dhcpd.conf.$(date +%F)

建立 DHCP Server 設定檔
# vim /etc/dhcpd.conf
ddns-update-style none;
option domain-name “example.org”;
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 172.16.0.0 netmask 255.255.255.0 {
    range 172.16.0.1 172.16.0.10;
    option domain-name-servers 168.95.1.1;
    option domain-name-servers 8.8.8.8;
    option routers 172.16.0.254;
}[@more@]

# vim /etc/systemd/system/dhcpd4@.service
[Unit]
Description=IPv4 DHCP server on %I
Wants=network.target
After=network.target

[Service]
Type=forking
PIDFile=/run/dhcpd4.pid
ExecStart=/usr/bin/dhcpd -4 -q -pf /run/dhcpd4.pid %I
KillSignal=SIGINT

[Install]
WantedBy=multi-user.target

修改 wlan0 網路卡設定
# cat /etc/netctl/wlan0
Description=’A simple WPA encrypted wireless connection using a static IP’
Interface=wlan0
Connection=ethernet
AutoWired=yes
IP=static
Address=’172.16.0.254/24′
DNS=(‘168.95.1.1’ ‘140.111.66.1’ ‘8.8.8.8’)
# Uncomment this if your ssid is hidden
#Hidden=yes

重新啟動 wlan0
# netctl restart wlan0

# ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.0.254  netmask 255.255.255.0  broadcast 172.16.0.255
        inet6 fe80::9a3b:16ff:fe1e:67d8  prefixlen 64  scopeid 0x20<link>
        ether 98:3b:16:1e:67:d8  txqueuelen 1000  (Ethernet)
        RX packets 15  bytes 1914 (1.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 69  bytes 7236 (7.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

啟動 DHCP Server
# systemctl start dhcpd4@wlan0.service

設定開機時啟動 DHCP Server
# systemctl enable dhcpd4@wlan0.service
Created symlink from /etc/systemd/system/multi-user.target.wants/dhcpd4@wlan0.service to /etc/systemd/system/dhcpd4@.service.

設定防火牆
# vim /etc/firewall.wifiap
#!/bin/bash
IPTABLES=/sbin/iptables
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

modprobe ip_conntrack
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE

執行防火牆規則
# sh /etc/firewall.wifiap

在 /etc/rc.local  檔案最後面加入執行防火牆規則的設定
# sed -i ‘$a # NAT 防火牆nsh /etc/firewall.wifiap’ /etc/rc.local

設定 hostapd
# cat /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=CubieTruck
channel=11
hw_mode=g
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_psk=ee07bee15c9c33bf7bcc53d84aac17e2b83f82476f96e32efcd03d716d99a4d2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP

執行 hostapd
# systemctl start hostapd

查詢執行狀態
# systemctl status hostapd
● hostapd.service – Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
   Loaded: loaded (/usr/lib/systemd/system/hostapd.service; enabled)
   Active: active (running) since Tue 2014-10-14 13:23:38 CST; 1s ago
  Process: 353 ExecStart=/usr/bin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B (code=exited, status=0/SUCCESS)
 Main PID: 354 (hostapd)
   CGroup: /system.slice/hostapd.service
           └─354 /usr/bin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B

直接使用命令列執行
# /usr/bin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B
Configuration file: /etc/hostapd/hostapd.conf
Using interface wlan0 with hwaddr 98:3b:16:1e:67:d8 and ssid “CubieTruck”
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED

設定開機時執行
# systemctl enable hostapd