Dynamic DNS updates for a RaspberryPi server

I posted about how I setup a RespberryPi for a work experiment. That server has a DNS name using the service https://dyn.com/ where they will keep my hostname pointed at the IP address my server is on. I need this because I have a residential cable modem connection to the Internet so my IP address can change at random. I wasn’t sure how easy or hard it would be to find a client to keep my record updated, but it turns out you only need 3 commands to configure this in the Terminal app or via SSH;

sudo apt-get update
sudo apt-get install libio-socket-ssl-perl
sudo apt-get install ddclient

When you type the third line above it will step through a simple wizard that asks what Dynamic DNS service you are using, and then asks for the username and password to use. Everything was up and running in about a minute. You can then tail /var/log/syslog to see status messages or look at /etc/init.d/ddclient or /etc/ddclient.conf if you want to adjust how it starts or is configured, but the defaults seem fine.

Easy SSL Cert for testing

Have you ever needed to test something with a web server that you stand up quickly, but don’t have an SSL cert for it, and don’t have access to a wildcard cert for the domain? Check out http://www.letsencrypt.org and be prepared to quickly and easily get an SSL cert. 

On a RaspberryPi system you start by installing certbot  via “sudo apt-get install python-certbot-apache” and then I ran in to some trouble trying to just use certbot’s automagic apache mechanism so I did this;

1. Enable SSL on Apache with “sudo a2enmod ssl”
2. Stop Apache with “sudo /etc/init.d/apache2 stop”
3. “sudo certbot certonly –standalone” to go through the process. It will launch a process that the certificate authority will connect to on TCP 80 to verify you control the DNS name you are trying to make a cert for so that name should resolve to this server.
4. Edit /etc/apache2/sites-enabled/default-ssl.conf to point to your SSL certs. These 3 settings must be changed and make sure the path matches where your files are stored;
   

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem

Now you need to start Apache back up with “sudo /etc/init.d/apache2 start” and hopefully it should load. I don’t believe any steps are missing here, but please do let me know in the comments if you tried this and were totally stuck. Remember you’ll have to renew your certs each year, but certbot has a renew function as well. Super simple. 

Protecting a RespberryPi

So I had a need for work to setup an Apache server to test a feature of our product. It was easy enough to get it going;

1. Install Noobs to SD card
2. Boot up RaspberryPi 3B+ with Noobs
3. Install Raspian
4. Use apt-get to install apache2
5. Port Forward 80 and 443 to my RPi
6. Use DynDNS to direct a DNS name to my home IP

So all that was super easy. Next I started to worry about protecting my little pocket computer. I looked at DenyHosts, but it seems like the version in apt-get was super old and even the latest seems not maintained. So I did “apt-get install fail2ban” because that seems fairly current. So this is more of a question post than a helpful post for others. My question is if fail2ban via apt-get needs certain config changes or if it is good with default settings? If you read this and can comment with guidance it would help me, and hopefully others. If the steps above seem complicated and anyone wants a step by step posted then I’m happy to do so. If you’d like to try to beat up on my little computer that’s cool too. Nothing private is on it. http://absolute.jnux.net is the Apache2 instance.

NewsBlur Subscriptions to share

To help my IT friends at my job I’m leaving, I’m trying to share things that will help them. Below is a link to my NewsBlur subscriptions. I have A LOT of Mac stuff in here. The NewsBlur system costs $2/month ($3 if you are feeling it is worth it and have spare $). It is extremely worthwhile especially since the demise of Google Reader. There’s also an iPhone and iPad app you can use on the go. The stuff in the Engineering – Mac feeds will help someone do most of what I do.

Continue reading “NewsBlur Subscriptions to share” →

Empowering End Users. Reducing IT workload.

Users having the freedom to fully use their computers even in an Enterprise. I’ve been thinking long and hard about this topic. Long ago when I began working in corporate IT I was taught that users can’t be trusted. They can’t possibly know what is good for their computer, and we must approve everything they do. We must basically suck all the fun out of the thing they use for perhaps 90% of their day. It used to make sense to me because I was always mostly a Windows guy at work while at home I was mostly a Mac and Linux guy. Where I always would get bent out of shape was when we would take Windows shortcomings and imagine the Macs had the same shortcoming. I’ll explain what I mean. Some of our users need admin rights of their machines. Because Windows, prior to UAC in Vista, was completely unsafe to run as an admin we made folks create a secondary account for admin reasons on their machine. Somehow on the Macs the same rule was in place even though OS X effectively had a better version of UAC before UAC even existed.

Continue reading “Empowering End Users. Reducing IT workload.” →

Common Problem Repair system (CPRs) for Mac/Windows

Where I work I’m in charge of Desktop Engineering. We have a responsibility for every laptop, desktop, iPad, iPhone, Android, etc… device in the environment at a very high level. We create the base images that go on the computer systems, we package the software that goes out to them. There is a staff of Desktop Support folks who will implement thing my group creates, and they also provide the direct support to the users at the company. Those Desktop Support folks see a wide range of issues. When they don’t know how to fix something they escalate the issue to my group.

Continue reading “Common Problem Repair system (CPRs) for Mac/Windows” →

Workin on the resume

Spent a while cleaning up my resume today. Never know what the future has in store so always good to have yourself organized.

http://www.linkedin.com/in/jlevitsk

Social Media updates and me

It’s been so long since I posted last. Life got kinda crazy this past year. Before 2005 everyone knew me as a pretty social person, and I would try out every social network there was from Friendster to Orkut to MySpace, well, you get the idea. I used to even run a BBS in recent history. I’m going to start cleaning up my accounts that live all over the place and get back in to knowing more about how everything works. Playing with Social Media, gadgets, reading news sites… those things made me good at my job, and I honestly have been slacking. So here and there I’ll update my blog as I clean up my accounts and if I stumble across new and cool things I will most definitely post about them.

For my first update I’m cleaning up my About.me/jlevitsk and my LinkedIn pages. AboutMe is sort of like a business card online. You put a little bit of information about you, and links to all of the Social Media sites you are on. LinkedIn is like FaceBook but for business contacts. It’s a good way to keep in contact with co-workers who have left, and not have them see your embarrassing FaceBook posts. 🙂

So welcome back to me and maybe I’ll post something interesting. For now it’s just me updating things.

Windows Genuine Advantage problems today?

Anyone having WGA problems today? Getting “Windows Genuine Advantage, Unable to complete genuine Windows validation.” like mad here. I’m hearing from some folks they are having this at other companies but Microsoft is saying they only have 1 other report.