JDPFu.com 2025

Sometimes I lose track of all the devices on a network and need a reminder of everything that is there. Under IPv6, you won’t scan the entire subnet – it would take millions of years – but under IPv4, you still use a scan. nmap is good for this and running it with operating system finger printing goes quickly (relatively speaking).

nmap OS finger print command

$ sudo nmap -O 192.168.0.0/24

Bare with me here. This is a great technique. I think you’ll thank me later after doing what this article suggests.

Homes and businesses today have lots of network devices. Using DHCP is the easiest way to get those on the network, but if you ever want those different devices to talk to each other, perhaps to transfer a file or to have a central backup server, then now your are running a network. Running a network means you probably want to know which devices are on your network or maybe that is just me. Perhaps you want each device to locate each other device too? Static IPs are possible under DHCP, sometimes called DHCP Reservations or Static Leases.

Make it easy for everyone in the house by using your router to force static IPs for the devices when they are at home, but still can connect to DHCP networks easily when roaming. This is really good for portable WiFi devices like laptops, smartphones, and for home entertainment devices that easily support DHCP.

Linux/Ubuntu (maybe others) – ssh key-based authentication made easier.

You know that you shouldn’t be using passwords to remotely connect to a different machine, but setting up key-based authentication has always been just a little too much hassle to bother. It really is simple, but there’s a tool to make it even easier. ssh-copy-id is included with Ubuntu-based distros (and probably others) to push the public key from your desktop to a server and append that public key to the end of the ~/.ssh/authorized_keys file.

FTP, File Transfer Protocol, has been around since the beginning of the internet in the early 1970s. It transfered files when the internet was a safer, more trusting, place. That isn’t the case anymore. Using FTP to host files is probably a bad idea for almost everyone. FTP is like Telnet. No encryption is used for anything. These days, we know that is bad.

In the mid-1990s most organizations stopped using telnet and switched to ssh, secure shell. FTP needs to be replaced for the same reasons. Below I’ll describe why very few people should use plain FTP anymore to remotely access files.

Yesterday, I was told that there was some issue with email here. Messages were bouncing. After a little research, it was determined that the ISP had decided to filter port 25 inbound AND outbound. That began around 1:50am on Wednesday morning. I know this because there are logs. Why did they change this after 12 years? I’ll never know.

About a month ago, an editor at a large blog website followed one of my links in a comment there back here and offered to republish the story. I was already seeing increased traffic from that link on their site – like 10x more than my normal daily traffic – and it scared me. I don’t have the bandwidth to handle that sort of traffic and my Ruby on Rails blog software … er … pretty much sucks from a scalability perspective. What did I do?

May 2021 Update

• Added kernel, header, module removed command to purge them from APT.


• Clarified /forcefsck options, slightly.

Jan 2020 Update
A little cleanup.

June 2018 Update
The big ideas below haven’t changed. Really the main change is to using apt instead of aptitude or apt-get for package management. apt is a newer, simpler, front-end to apt-get that does some housekeeping things automatically. I’ve been using apt for about 2 yrs.

Nov 2015 Update
If you want 5 years of support for your Ubuntu system, then it is important to check the Ubuntu Release Support webpage to verify the official support dates. For example,

• 14.04.1 support ends April 2019
• 14.04.2 support ends August 2016
• 14.04.3 support ends August 2016
• 15.10 support ends July 2016
  What does this mean?
  Use aptitude update on 14.04.1 systems to maintain the LTS support. If aptitude dist-update is used, then support time is significantly reduced. For a desktop that will be updated to 16.04 LTS, it probably doesn’t matter. For a server that will not be update before August 2016, this is very important.

2014 Update
After years of using apt-get, I’ve finally seen the aptitude light. Aptitude has solved a few dependency problems that apt-get puked over. It is smarter. Now I’m recommending that aptitude be used over apt-get. That is the only change below and for almost every common use, swapping apt-get for aptitude is the only change. That is the situation in this article. I did not update any comments to reflect this change. Learn more about aptitude from the Debian Wiki.

2013 Update
With newer Linux installs, there has been a huge problem with old kernels not being cleaned up automatically. For some people, this has caused their package manager to get stuck with an out of storage error. Until they can remove the issue, their system is stuck in APT-Hell. Not good at all. This article has been updated to add cleaning up kernels to the list.

Original Article Continues

I decided to write this entry after reading an article over a Lifehacker by Whitson Gordon titled What Kind of Maintenance Do I Need to Do on My Windows PC.

What kind of maintenance do I need to do on my Ubuntu/Debian/APT-based PC? Good question. It is pretty simple … for desktops. This article is for APT-based desktop system maintenance, NOT for Linux servers. Linux servers need just a little more love to stay happy. I haven’t used RPM-based distros in many years, so I’m not comfortable providing commands to accomplish the things you need to do, but the methods will be similar.

Let’s get started.

Install System and Application Patches/Updates

This will patch the OS and all your applications.

$ sudo apt  update; sudo apt full-upgrade

Done.

Don’t worry. This only updates the current distro to new packages and new kernels. It will not install a new release. If you need to stay on the current kernel, use

sudo apt safe-upgrade

. I’ve needed this only a few times in 15+ yrs of being a Linux administrator.

The apt manpage is pretty good and explains the subtle differences between upgrade, safe-upgrade and full-upgrade options. man apt will show it.

Read about more tips below.

There’s an old SSL/TLS security hole (from 11/2009) that has been out and patched for over a year (since 2/2010), but it appears that many major websites haven’t bothered patching it. CVE-2009-3555

The guys over at ssltls.de have a list. Seems that consistently patching is tough for many organizations. The list is pretty shocking for who is and isn’t patched. Take a look and be afraid. There are lots of big banks on the unpatched list. Scary. The list is not comprehensive, so just because your site or bank aren’t listed, doesn’t mean they are consistently patched.

• home.americanexpress.com is patched, but
• www.americanexpress.com cannot be confirmed as patched.

There are attacks in the wild that take advantage of this issue. I need to check whether my SSL sites are vulnerable too. Here’s an SSL checker

Adobe has decided to stop development for their fairly new Adobe-AIR platform on desktop Linux. For some reason, they will continue development on Android. Huh? Doesn’t Adobe know that Android is Linux?

AIR on 64-bit Linux Sucked

I tried AdobeAIR on a 64-bit Linux desktop about a yr ago to try a stock tracking app. It was slow and heavy so I removed it. Where I work, we dislike proprietary solutions that force vendor lock-in. AIR will not be installed on any of our machines regardless of OS and we advise our clients of the issues with AIR and all proprietary tools. The same applies to Silverlight. We won’t install it here and recommend that our clients do not as well. I would remove Flash if there wouldn’t be a revolt and I’ve already removed Adobe Acrobat from all our systems. We use alternatives with better security (or just fewer attackers). Adobe management doesn’t seem to understand how to build software that can be secure. They certainly haven’t shown a desire to do this based on the number of unfixed zero day exploits published continuously.

Whenever I visit a new website and they ask me to create a new login, I always wonder how that data is stored, especially the password. Some clues to poor password management:

1. plain text
2. hashed without a salt
3. reversible
4. support knows it
5. the system can email your password back to you
6. the system displays your password on a web page.

Theres a website that tracks sites with poor password management called PlainTextOffenders.com . That site estimates that 30% of all websites aren’t handling passwords appropriately. If you know of an offending website, let the plain-text-offenders know and publicize it. Sometimes that spotlight is enough to get the company to change.