This guide is a quick step-by-step guide to how I implement E2Guardian on Ubuntu-type systems. The end result is a graphical system using the KDE desktop, so that staff can graphically manage print queues. This guide, however, is mostly command-line with no hand-holding.
Below are my local install notes for putting together a public access server on Kubuntu 20.04 Focal Fossa, providing print management and statistics for wifi users as well as library-provided gear.
You'll need to be pretty comfortable with Linux and the command line to replicate this. But it's really nothing too complicated. Basic steps needing no explanation for someone experienced in Linux are omitted. Using this guide, it takes me about 2 hours to set up a new machine from starting installation to full working order. These notes are for my benefit, but I hope you find it useful, too.
Change the hostname if you wish:
$ sudo hostnamectl set-hostname [name-goes-here]
Prep things for basic server tasks:
$ sudo apt-get install -y lamp-server^ samba-server^ openssh-server^
$ sudo apt install vim exfat-fuse exfat-utils
Edit /etc/systemd/timesyncd.conf to include:
NTP=us.pool.ntp.org FallbackNTP=ntp.ubuntu.com
Restart the time service and check:
$ sudo systemctl restart systemd-timesyncd.service $ sudo systemctl status systemd-timesyncd.service
Edit /etc/ssh/sshd_config. Uncomment
the line #Banner /etc/issue.net.
Edit /etc/issue.net to give whatever notice your
lawyers say is appropriate to people trying to log into your
server:
*******************************************************************************
NOTICE TO USERS
This computer system is the property of the Branch District Library. It is
for authorized use only. Users (authorized or unauthorized) have no explicit
or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted,
monitored, recorded, copied, audited, inspected, and disclosed to authorized
officials of law enforcement and government agencies.
By using this system, the user consents to such interception, monitoring,
recording, auditing, inspection, and disclosure at the discretion of the Branch
District Library or other authorized officials of law enforcement or government
agencies.
Unauthorized or improper use of this system may result in civil and criminal
penalties and administrative or disciplinary action, as appropriate. By
continuing to use this system you indicate your awareness of and consent to
these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to
the conditions stated in this notice.
*******************************************************************************
/etc/netplan/00-installer-config.yaml. Edit as
shown below, customizing as needed. In
Ubuntu 20.04, systemd will determine the names of your ethernet
adapters, as
explained in this article on predictable network device
names.network:
ethernets:
eno1:
addresses:
- 192.168.XX.XXX/24
dhcp4: no
gateway4: 192.168.XX.1
nameservers:
addresses:
- IP-OF-NS1
- IP-OF-NS2
eno2:
addresses:
- 192.168.1.1/24
dhcp4: no
gateway4: 192.168.XX.1
nameservers:
addresses:
- IP-OF-NS1
- IP-OF-NS2
version: 2
To apply the changes, execute:
$ sudo netplan apply
Verify the changes:
$ ip addr
Install the DHCP server and back up the original config file:
$ sudo apt install isc-dhcp-server && \ sudo mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bak
Edit /etc/dhcp/dhcpd.conf as needed, adding static
address assignments for your library-provided public computers. If
you are using this DHCP server to give addresses to all your public
and staff computers, make sure all library computers are defined in
this file. The file should look something like this:
authoritative;
default-lease-time 3600;
max-lease-time 3600;
ddns-update-style none;
option routers 192.168.1.1;
option domain-name-servers YOUR-DNS-SERVER-1,YOUR-DNS-SERVER-2;
subnet [Subnet of eno1, just ending in .0] netmask 255.255.255.0
{
}
subnet 192.168.1.0 netmask 255.255.255.0
{
range 192.168.1.100 192.168.1.254; # desired public service IP address range
host HOSTNAME-HERE # host names for static IP assignment
{
hardware ethernet MAC-ADDRESS-USING-COLONS;
fixed-address DESIRED-IP-ADDRESS-FOR-THIS-MACHINE;
}
}
Restart DHCP server:
$ sudo service isc-dhcp-server restart
We'll use Shorewall to make it easier to maintain rules for public Internet access. Note: I highly recommend that you have this gateway behind another firewall, limiting access from the public Internet. In this case, think of "net" in all the examples below to mean your staff network and "loc" is your public access network.
Install shorewall and copy configuration files:
$ sudo apt-get install shorewall shorewall-init && \ sudo cp /usr/share/doc/shorewall/examples/two-interfaces/interfaces /etc/shorewall/; \ sudo cp /usr/share/doc/shorewall/examples/two-interfaces/policy /etc/shorewall/; \ sudo cp /usr/share/doc/shorewall/examples/two-interfaces/rules /etc/shorewall/; \ sudo cp /usr/share/doc/shorewall/examples/two-interfaces/snat /etc/shorewall/; \ sudo cp /usr/share/doc/shorewall/examples/two-interfaces/zones /etc/shorewall/
/etc/shorewall/shorewall.conf. Find the line
that reads IP_FORWARDING=Keep and change that to
IP_FORWARDING=On./etc/shorewall/interfaces:$ sudo ZONE INTERFACE OPTIONS net eno1 dhcp,tcpflags,nosmurfs,routefilter,sourceroute=0 loc eno2 dhcp,tcpflags,nosmurfs,routefilter
Edit /etc/shorewall/snat:
eno1 192.168.1.0/24
Edit /etc/shorewall/policy:
loc all ACCEPT fw loc ACCEPT fw net REJECT net all DROP # THE FOLLOWING POLICY MUST BE LAST all all REJECTEdit
/etc/shorewall/rules. At minimum, append the
following rules to the end of the existing file and edit per your
situation.
# file sharing SMB(ACCEPT) net fw SMB(ACCEPT) fw net # Accept SSH connections for administration ACCEPT net fw tcp 22 # Accept HTTP for the wifi stats ACCEPT net fw tcp 80,443 # let the other servers access apcupsd for shutdown commands # after a power failure ACCEPT net fw tcp 3551 # VNC ACCEPT net fw tcp 5900 # Allow both sides of the firewall to access the filter # (as in your staff side can use the filter, too) ACCEPT net fw tcp 8081 # Route all HTTP traffic from library computers to the filter # make the IP address range match your needs REDIRECT loc:192.168.1.2-192.168.1.255 8081 tcp 80,8000,8001,8080 - #################################################### # RULES TO LET CERTAIN TRAFFIC OUT OF THE FIREWALL # #################################################### # ping ACCEPT fw net icmp #DNS ACCEPT fw net udp 53 ACCEPT fw net tcp 53 # HTTP(s) ACCEPT fw net tcp 80,8000,8001,8080,443 # NTP ACCEPT fw net udp 123 # Security Cams ACCEPT fw net tcp 7001,7002 # Allow all traffic out to the local staff and public networks ACCEPT fw net:192.168.0.0/16 all ACCEPT fw loc all ######################################################## # END RULES TO LET CERTAIN TRAFFIC OUT OF THE FIREWALL # ######################################################## # This last rule needs to be in place to allow for unfiltered library computers. It needs to be kept last. ACCEPT loc net tcp 80 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/zones:fw firewall net ipv4 loc ipv4
/etc/default/shorewall. Change
startup=0 to startup=1. Restart
shorewall:$ sudo shorewall restart
Set Shorewall to start automatically on boot:
$ sudo systemctl enable shorewall
$ sudo mysql -p -u root mysql> CREATE USER 'phpMyAdmin'@'localhost' IDENTIFIED WITH mysql_native_password BY 'PASSWORD-HERE'; mysql> GRANT ALL PRIVILEGES ON *.* TO 'phpMyAdmin'@'localhost'; mysql> FLUSH PRIVILEGES;
$ sudo apt install phpmyadmin
/etc/dhcp/dhcpd.conf. Create the MySQL database for
tracking stats:$ sudo mysql -u root -p mysql> CREATE DATABASE IF NOT EXISTS `wifi_stats` DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;quit;
$ sudo mysql -u root -p wifi_stats < old_exported_wifi_stats.sql
wifi_stats.sql
into a file of the same name in your current directory. This is
the database schema which will create an empty database. Import
your file into MySQL:$ sudo mysql -u root -p wifi_stats < wifi_stats.sql
wifi_stats.php
into the file /var/www/html/wifi_stats.php. Edit the top of
the file to enter your own password.DHCPd-parse.php
into the file /var/www/html/DHCPd-parse.php. Edit the top of
the file to enter your own password. You can look at your collected
stats at
http://YOUR-SERVER-IP-ADDRESS-OR-URL/wifi_stats.php.
reportdhcp.pl into
/usr/lib/cgi-bin/reportdhcp.pl. $ sudo chmod 755 /usr/lib/cgi-bin/reportdhcp.pl $ sudo a2enmod cgi $ sudo systemctl restart apache2This program isn't actually used for any of the stats collection, but it can be useful for troubleshooting. Access it from
http://YOUR-SERVER-IP-ADDRESS-OR-URL/cgi-bin/reportdhcp.pl.
1 * * * * wget http://localhost/DHCPd-parse.php -O /dev/null > /dev/null 2>&1
/home/temp:$ sudo mkdir /home/temp $ sudo chown nobody:nogroup /home/temp $ sudo chmod 777 /home/temp
/etc/samba/smb.conf. Put the following lines
at the end:[temp] comment = Public file sharing space path = /home/temp read only = no user mask = nobody create mask = 0666 directory mask = 0777 browseable = no public = yes writeable = yes guest ok = yes guest only = yes
$ sudo systemctl restart smbd
\\192.168.1.1\temp in a file manager window. No
password should be required and you shoudl have full write
access./etc/samba/smb.conf to share and hold the print
jobs. Comment out the [printers] and
[print$] sections, then add the following lines to the
end of the file, changing as necessary to fit your situation:[ServiceDeskPrinter] path = /var/spool/samba browseable = yes printable = yes printer name = ServiceDeskPrinter cups options = job-hold-until=indefinite
lpadmin group. In your user account with sudo priveleges, go to System Settings ->Startup and Shutdown->Login Screen->Advanced->Autologin, and set your new user to log in automatically.kde-print-queue ServiceDeskPrinter. From here you can release the print jobs to the printer or delete them.4 21 * * * /usr/bin/lprm -P ServiceDeskPrinter - 5 21 * * * /bin/rm /var/cache/cups/job.cache* 6 21 * * * /bin/rm /var/spool/cups/c* 7 21 * * * /bin/rm /var/spool/cups/d*
$ sudo adduser --no-create-home --disabled-login <user>, and make an accompanying Samba user with $ sudo smbpasswd -a <username>\\192.168.1.XXX\Black_and_White_Printer, etc. Change the printing preferences for the Black and White to grayscale and make that printer the default to save on color toner.
To easily share your printers for Android and Apple users, you'll need to visit the CUPS configuration pages from a web browser on the server. But first, you'll need to add your username to the lapadmin group:
$ sudo usermod -aG lpadmin <username>
Next, to open the printing config for your computer, go to http://localhost:631/admin in a web browser on the server.
On the Administration page on the right-hand side, enable the option that says "Share printers connected to this system", and click "Change Settings". Authenticate with the username and password of the account you just added to lpadmin, and you'll be good to go.
In the KDE printer settings dialog, click "share" on the printer you want to share for mobile clients.
Enter the following command to hold print job sent from mobile clients until you release them:
$ sudo lpadmin -p ServiceDeskPrinter -o job-hold-until-default=indefinite
For your staff to release the print jobs from library computers or mobile devices, they'll need to see the screen on the server. It it's in an accessible space, great--just have them use the computer like any other. If it's not accessible, you'll need to remote in via VNC.
$ sudo apt install x11vnc
Then, from the print queue user account your created above:
$ x11vnc -storepasswd
Create a small script, x11vnc.sh, and save it to ~/.vnc/:
#! /bin/bash /usr/bin/x11vnc -xkb -noxrecord -noxfixes -noxdamage -display :0 -auth guess -rfbauth ~/.vnc/passwd -rfbport 5900 -shared -forever -o ~/.vnc/x11vnc.log
Go to System Settings->Startup and Shutdown, and add your script from above to start automaticaly. Go to Display and set the screen resolution to 1024x768. Go to Desktop Behavior and turn off all desktop effects. Go to Power Management->Energy Settings and disable screen dimming or auto turn-off.
On the staff computers, create a shortcut to the UltraVNC executatble, and use the following parameters:
"C:\Program Files\uvnc bvba\UltraVNC\vncviewer.exe" /host 192.168.42.2 /password <password> /autoscaling
Add the Bluecherry Repo key and install the server, answering the prompts as needed (more at http://community.bluecherrydvr.com/topic/xenial-driver-instructions):
$ wget -q http://ubuntu.bluecherrydvr.com/key/bluecherry.asc -O- | sudo apt-key add - $ sudo wget --output-document=/etc/apt/sources.list.d/bluecherry-unstable-xenial.list http://unstable.bluecherrydvr.com/sources.list.d/bluecherry-xenial.list $ sudo apt update; sudo apt install bluecherry $ sudo apt-get install linux-image-4.8.0-39-generic $ sudo systemctl enable bluecherry $ sudo service bluecherry start
Log into the Bluecherry web admin at https://192.168.1.1:7001/ and activate with your license key. Set up the system as desired. The default login is a username of admin and password of bluecherry. Change these immediately and setup user account(s) for those who will be watching the video streams.
Install the Bluecherry client program or web client views as needed.
$ ssh-keygen -t rsa # ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote_host
5 0 * * * mysqldump -u root --password=YOUR-PASSWORD wifi_stats > /home/username/wifi_stats_dump.sql; scp -i /home/username/.ssh/id_rsa /home/username/wifi_stats_dump.sql username@remote_host:/path/to/backup/directory/
from="YOUR-FILTER'S-IP-ADDRESS", followed by a
space, before the "ssh-rsa [...]" stuff in your
/home/username/.ssh/authorized_keys file. This will
limit the key to being used only from your filter.
$ sudo apt-get install apcupsd; \ mv /etc/apcupsd/apcupsd.conf /etc/apcupsd/apcupsd.conf.bak
apcupsd.conf into
/etc/apcupsd/apcupsd.conf, editing parameters as you
see fit.
/etc/default/apcupsd and change
ISCONFIGURED=no to ISCONFIGURED=yes.And that is all! Reboot and make sure everything comes back up the way it should. And TEST!