Set up Debian PXE boot server

I have always wanted to set up a Debian PXE (Pre-eXecution Environment) server, so I could have machines boot from the network and select an OS to install. Ultimately I expect to be able to do this with any OS, but at first I will have it boot various versions of Debian, from my local partial Debian mirror (maintained with debmirror).

    Right now I’m downloading the Debian installer images with debmirror. For the PXE boot server, I will be following this Debian Administration guide:

  1. The first thing it has me install is tftpd-hpa, which is easy enough:
    aptitude install tftpd-hpa

    This automatically started the tftpd-hpa daemon. The guide suggested I need to edit /etc/default/tftpd-hpa:

    # /etc/default/tftpd-hpa

    The above are the defaults, and since those looked alright to me, I didn’t modify them. The directory /srv/tftp already existed on my system (probably from an earlier attempt at setting up PXE boot), and was empty.

  2. Next, I needed to set up my DHCP server. This is provided by my custom-built router/firewall, running pfSense. Many home routers don’t allow one to set DHCP options, but pfSense ain’t no ordinairy router. (-; I added my worksation/tftp server’s IP address (hostname did NOT work), put “pxelinux.0” as the filename, and that seemed to be it.
  3. The next step was to configure the PXE boot. I copied the pxelinux files, and debian-installer directory from my local debmirror:
    cp -R /var/spool/mirror/dists/sid/main/installer-amd64/current/images/pxelinux.* /srv/tftp/
    cp -R /var/spool/mirror/dists/sid/main/installer-amd64/current/images/netboot/debian-installer /srv/tftp/
  4. The final step was to test it. Once I configured my VirtualBox test machine, it booted into PXE, saw my server/workstation, and it is now installing Debian Sid!

Where to go from here?

  • Figure out the best way to list multiple Linux distributions
  • Figure out a way to have this boot Windows images

Neither of the above look trivial.

StartCom SSL intermediate certificate chain fix…

In the past year I’ve installed two SSL certificates from StartCom, for my two websites:, and Both of these sites (now) are running Debian Sid, and have almost identical configurations. For most browsers/devices I’ve tried, the StartCom SSL certificates work fine (notice the appropriate lock icon in the address bar [in Google Chrome/Chromium it’s a green lock icon]). However, on some devices–most notably my Samsung Galaxy S II running CyanogenMod 9.10, and my mother’s aging iMac–I get a message similar to the following following:

(Sorry for picking on you Midnight Commander, but yours is a website I know generates this error for me consistently. Maybe I can link to this post and have you fix that!)

Searching for the string “entity is not trusted” on the StartCom forums guided me to this posting, which suggests using a free tool called SSL Checker to verify that my SSL installation is complete and without problems. The site gives me the following:

So it is verified that my SSL certificate is not trusted by all browsers. They give a hint back to StartCom’s extensive FAQ. It led me to the Apache Web Server configuration page. I needed to copy both the ca.pem and, and configure apache2 appropriately (in the sites-available/ configuration file). My configuration ended up being like this:

DocumentRoot /var/www/
ErrorLog /var/log/apache2/wp-error.log
TransferLog /var/log/apache2/wp-access.log
RedirectPermanent /

SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/ssl/certs/
SSLCertificateKeyFile /etc/ssl/private/
SSLCertificateChainFile /etc/ssl/certs/
SSLCACertificateFile /etc/ssl/certs/startcom_ca.pem
DocumentRoot /var/www/
Customlog /var/log/apache2/ combined
ErrorLog /var/log/apache2/
HostnameLookups On

  Options FollowSymLinks
  AllowOverride Limit Options FileInfo
  DirectoryIndex index.php

I was missing the ChainFile and CACertificateFile, and I added the extra bits about CipherSuite and Protocol. Now the SSL Checker validates everything on The same configuration isn’t working for, the checker says “No SSL could be found,” yet my browser indicates SSL is active and enabled. I’ll have to do a closer comparison… [Edit 2013-01-27 0554 -0600]Looks like the SSL certificate is tied directly to (which redirects to The opposite problem exists for If I have the SSL Checker scan, it says “No SSL could be found.” Must be a difference in the way I set up the SSL certificates.

Now I can be sure that folks won’t have to click through an SSL warning when they visit my sites!

Installing tripwire on Debian Sid.

One security tool I use on my Linux servers is tripwire. Essentially, it hashes both a file/directory and its metadata (modify/access/creation timestamps, file size, inode, etc.) into the tripwire database. Daily (or more often) tripwire re-scans the designated filesystems and alerts the administrator of any changes. This is glossing over many of the finer points, but if a system is compromised and key files are changed the administrator is notified at the next re-scan. Tripwire shouldn’t be the only line of defense, but it can be useful as a catch-all to notify the system manager so corrective action can be taken.

    To install and set up tripwire on Debian Sid, follow these instructions (inspired by this):

  1. Actually installing tripwire is very simple:
    # aptitude install tripwire

    The curses-based menu prompts will instruct you to create a pair of keys to cryptographically sign many files, in order to ensure their contents or metadata haven’t changed. The first tripwire installation prompt warns that these passphrases exist unencrypted for a period of time. Because of this I have elected not to enter these passphrases at this time, and will follow the instructions in twadmin(8) for creating these keys.

  2. To generate the keys, I ran the following command:
    # twadmin --generate-keys \
    --verbose \
    --local-keyfile /etc/tripwire/local.key \
    --site-keyfile /etc/tripwire/site.key

    This generated the following output:

    Open Source Tripwire(R) built for x86_64-unknown-linux-gnu
    Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
    trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
    for details use --version. This is free software which may be redistributed
    or modified only under certain conditions; see COPYING for details.
    All rights reserved.
    (When selecting a passphrase, keep in mind that good passphrases typically
    have upper and lower case letters, digits and punctuation marks, and are
    at least 8 characters in length.)
    Enter the site keyfile passphrase:
    Verify the site keyfile passphrase:
    Generating site key: /etc/tripwire/site.key
    Generating key (this may take several minutes)...Key generation complete.
    Enter the local keyfile passphrase:
    Verify the local keyfile passphrase:
    Generating local key: /etc/tripwire/local.key
    Generating key (this may take several minutes)...Key generation complete.

    It may have said it may take several minutes to generate these keys, but it processed through very quickly on my li’l VPS. It took mere seconds to generate the keys. It actually took more time for me to select my passphrases then it did to generate the keys. The keys are nice and encrypted (the “file” command just says they’re data!). Some notes on my passphrases:

    • I use keepassx to maintain my password database. It has an added feature of generating random passwords! I back up my password database religiously, and I use sshfs on all of the workstations I control to always keep the same file updated, no matter what machine I’m using. It’s great!
    • I used keepassx to generate a 128 character password for the site key, and a 64 character password for the local key. I was sure to use characters from every character class (upper, lower, underscore, hyphen, space, symbols). The site key ended up being a whole 1,024 bits of entropy, and the local key was 512 bits of entropy.
    • I probably should have collected fresh entropy before generating those keys, but then I’m getting really pedantic. I have unchecked that option, so it should collect fresh entropy more often, if not every time I generate a new password.
  3. Next step is to actually configure tripwire. This is done by modifying /etc/tripwire/twpol.txt, and removing or commenting out the stuff we don’t have or need. The first step is to run this command:
    # tripwire --check

    This will compare the system with the current /etc/tripwire/twpol.txt, and report on the differences. On first run, I got:

    # tripwire --check
    ### Error: File could not be opened.
    ### Filename: /etc/tripwire/tw.cfg
    ### No such file or directory
    ### Configuration file could not be read.
    ### Exiting...

    I changed the following line in /etc/tripwire/twpol.txt:

      $(TWETC)/tw.cfg    -> $(SEC_BIN) -i ;

    To this:

      $(TWETC)/twcfg.txt    -> $(SEC_BIN) -i ; 

    Turns out that’s not right, so I reverted the change above. What I had to do was initialize the tripwire configuration file like so:

    # twadmin --create-cfgfile --site-keyfile site.key twcfg.txt

    That brought me to the following:

    # tripwire --check
    ### Error: File could not be opened.
    ### Filename: /etc/tripwire/eldon-local.key
    ### No such file or directory
    ### Exiting...

    I had to edit twcfg.txt and regenerate tw.cfg (since my local key is /etc/tripwire/local.key, not /etc/tripwire/eldon-local.key). My next problem was that the tripwire database did not exist. I entered the following command:

    # tripwire --init

    After entering the local key passphrase, I got the following output:

    ### Error: File could not be found.
    ### /etc/tripwire/tw.pol
    ### Exiting...

    I generated that policy file using the following command:

    # twadmin --create-polfile twpol.txt
    Please enter your site passphrase: 
    Wrote policy file: /etc/tripwire/tw.pol

    Next I could run the initialization:

    # tripwire --init
    ...lots of messages about missing /proc files, then
    Wrote database file: /var/lib/tripwire/eldon.twd
    The database was successfully generated.

    I removed /proc, and a bunch of other stuff from twpol.txt, then regenerated the policy file. I then could finally run the check:

    # tripwire --check

    This listed a bunch of files that couldn’t be found. I removed those from the policy file (twpol.txt), regenerated the policy, reinitialized the database, and got the standard report on standard output (I won’t reprint it here because it’s rather long). Now I can modify my upgrade alias in .bashrc:

    alias upgrade='aptitude update && aptitude full-upgrade && \
                    aptitude clean && rkhunter --propupd && tripwire --check'

    I do not run tripwire on any of my workstations or laptops, simply because I am constantly futzing with them, and getting the near-constant email warnings that there are violations, created, deleted, or modified files outside the .twd file. Here, usability trumps security, in the ever-constant stuggle.

WordPress install on Debian Sid (post-Wheezy)

For my first post, I will discuss how I installed this website on my Debian Sid installation on my EDIS Virtual Private Server (VPS). I first started with the EDIS VRS STARTER, which includes 512MB RAM, with a 10GB disk, 1Gbps network bandwidth, and 2TB total bandwidth allowed per period. Not much to work with, but it’s only ~$7 per month! The nice thing is, the Wheezy image I started with only takes up 200MB of disk space, so there’s plenty to work with.

Here’s the procedure I followed:

  1. First thing was to install my bare essentials. This includes vim and tmux. I installed them with the following command, as root:
    aptitude install vim tmux
  2. Now that vim was installed, I could remove nano and edit /etc/apt/sources.list properly:
    # aptitude purge nano # DIE EVIL NANO!
    # vim /etc/apt/sources.list

    The /etc/apt/sources.list file ended up like this:

    deb sid main contrib

    Since this server is in Chicago, IL, USA, I changed the Debian repository server from (EDIS is based in Austria). The “contrib” parameter was used because several key MySQL components (necessary for WordPress) are not available in the “main” repository because of licensing issues. With that I added the following alias to root’s bash run control file (~/.bashrc):

    alias upgrade='aptitude update && aptitude full-upgrade'

    I do the above on all of the Debian servers and workstations I manage, to make it a simple matter to update the system to the latest available packages. Sourcing the .bashrc file source .bashrc(or what I really use) . .bashrc loaded the new alias. Executing the “upgrade” alias proceeded to update my Wheezy install to Sid, and took about twenty minutes or so. Note that lsb_release -a still returns Wheezy; I’ll have to investigate that when I have time.

  3. Now that my machine had been updated, I rebooted it to load the new kernel (with the command reboot. Next, I installed wordpress and mysql. I note that mysql-server is *not* a dependency of wordpress (it merely suggests mysql-server); I discovered this when I tried to start WordPress for the first time and noticed mysql-server was not installed (this led me to adding “contrib” to sources.list above). The command below installed many libraries and helper packages, including apache2 and php5 related packages:

    # aptitude install wordpress mysql-server libssh2-php

    I installed libssh2-php since I wanted to use SSH keys for WordPress to apply updates, plugins, and themes (rather than use FTP or FTPS [I’ve always found installing and securing FTP repositories to be a major pain]). I was then ready to set up apache.

  4. Setting up apache was as simple as creating the /etc/apache2/sites-available/
    DocumentRoot /var/www/
    ErrorLog /var/log/apache2/wp-error.log
    TransferLog /var/log/apache2/wp-access.log
    RedirectPermanent /
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/
    SSLCertificateKeyFile /etc/ssl/private/
    DocumentRoot /var/www/
    Customlog /var/log/apache2/ combined
    ErrorLog /var/log/apache2/
    HostnameLookups On
            Options FollowSymLinks            
            AllowOverride Limit Options FileInfo
            DirectoryIndex index.php

    I obtained my SSL certificates from StartSSL, based in Israel. The main reason I use them is they offer level 1 certificates for personal use completely free/gratis! The only downside is that many older, out of date browsers and smartphones don’t recognize their certificate authority credentials, which means many browsers issue an SSL warning (as if the site used self-signed certificates). If that becomes a major problem, I may switch.

    The next step was to enable the site:

    # a2ensite
  5. The next step is to set up the WordPress MySQL user and database (adapted from here). In Debian, when mysql-server is installed apt/dpkg directs you to set root’s password for the MySQL server. The first command below will prompt for that password:
    # mysql -p
    Enter password:
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 308
    Server version: 5.5.29-1 (Debian)
    Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
    mysql> create database eldon;
    Query OK, 1 row affected (0.00 sec)
    mysql> grant all privileges on eldon.* to "wp_agent"@"localhost"
        -> identified by "SUPERSECRETPASSWORD";
    Query OK, 0 rows affected (0.00 sec)
    mysql> flush privileges;
    Query OK, 0 rows affected (0.01 sec)
    mysql> exit

    Since wordpress installs to /usr/share/wordpress on Debian, I made a symlink, and then restarted apache2:

    ln -s /usr/share/wordpress /var/www/
    service apache2 restart

    If I want to add other sites to this VPS, I’ll just need to set up the site as above, and place it in /var/www/. Note t I’ll have to be careful when setting up SSL. I had originally found that multiple SSL sites on a single IP was impossible. However, when I tried to find the page that explained that, I found this post instead: “Configure Apache to Support Multiple SSL sites on a single IP address”. I could have saved some money, but having multiple VPS services makes sure I have access to one of them should the other go down (I use my other VPS for IRC as well).

  6. Now, I could finally set up WordPress. I navigated here (you’ll see that it has already been set up). I won’t go into setting up WordPress from there, but this is precisely the same as “Run the Install Script”.

And that’s it for now! Hopefully I didn’t miss any steps.