Essential house keeping in Ubuntu

December 07, 2005
I started using Ubuntu Breezy ver 5.10 a month back on my machine. Prior to that I was exclusively into Fedora. What drew me to Ubuntu was the huge number of packages in its repositories including software which I find useful on a day-to-day basis like Tomboy which I had to compile from source in Fedora. But the Ubuntu CD comes with the base packages which support only open file formats. So if you want support for proprietary file formats like mp3 and quicktime support as well as install software not included on the CD, then you have to do some work.

I call it essential housekeeping because it is not exactly a problem, but only a matter of finding out how to get the necessary support. Here I share my experiences in putting the Ubuntu house in order on my machine.

Adding Universal and Multiverse repositories
The first thing to do in Ubuntu is add the universal and multiverse repositories to the /etc/apt/sources.list file. Usually you need to only uncomment the sections which are commented. But I also found that even the universal repositories did not contain some packages like mplayer. So I had to search the net and find a repository which contained the mplayer package and add it to my sources.list file.
deb cdrom:[Kubuntu 5.10 _Breezy Badger_ - Release i386 (20051012)]/ breezy main restricted
deb cdrom:[Ubuntu 5.10 _Breezy Badger_ - Release i386 (20051012)]/ breezy main restricted

deb-src http://in.archive.ubuntu.com/ubuntu breezy main restricted

deb http://in.archive.ubuntu.com/ubuntu breezy-updates main restricted
deb-src http://in.archive.ubuntu.com/ubuntu breezy-updates main restricted

deb http://in.archive.ubuntu.com/ubuntu breezy universe main restricted
deb-src http://in.archive.ubuntu.com/ubuntu breezy universe

deb http://in.archive.ubuntu.com/ubuntu breezy-backports main restricted universe multiverse
deb-src http://in.archive.ubuntu.com/ubuntu breezy-backports main restricted universe multiverse

deb http://security.ubuntu.com/ubuntu breezy-security main restricted
deb-src http://security.ubuntu.com/ubuntu breezy-security main restricted

deb http://security.ubuntu.com/ubuntu breezy-security universe
deb-src http://security.ubuntu.com/ubuntu breezy-security universe

deb http://ca.archive.ubuntu.com/ubuntu breezy universe
deb http://si.archive.ubuntu.com/ubuntu breezy multiverse
The lines highlighted are those that I added seperately. For example the last line lists the path to the repository which has the mplayer package. I couldn't find the package in any of the other repositories.

Once I added the necessary repositories, the next step was to update the package database in Ubuntu. This I did by running the following command:
$ sudo apt-get update
Once updating was completed (took about 10 minutes), I got ready to install all the software that I found necessary. I had already prepared a list of the software I wanted and so it was only a matter of firing up synaptic (the GUI front end to apt-get ) and installing the software. The software list I prepared was as follows:
  • Flash plugin for firefox web browser
  • mplayer with quicktime and wmv support
  • libdvdcss support for playing encrypted DVDs
  • fluxbox - a light weight window manager. I find Gnome and KDE (with all the eye candy) distracting for doing serious work .
  • GNUCash - A personal finance package
  • Tomboy - A very good note taking application based on Mono.
  • Sun's JDK - For java support
  • Gkrellm - A GUI which gives a graphical display in real time of the system status , like cpu load, memory usage, processes loaded in memory, network traffic and so on which I find really useful.
  • Compiler tools - Ubuntu is a distribution targeted at the ordinary user. So it does not bundle a compiler on the CD. But compiler tools are handy because you never know when you might need to compile a package from source and install on your machine.
  • NVIDIA glx drivers - I have a NVIDIA Geforce 2 MX graphics card. And even though ubuntu contains the nvidia drivers, I had to install the nvidia-glx package manually.
  • Install firestarter - The front end for iptables firewall and configure it. This is desirable because I found that the default installation of Ubuntu leaves the system wide open. Check by running the command:
    $ sudo iptables -L
    With an open system, your machine is just sitting there waiting for getting cracked by crackers and script kiddies or including your machine in a DoS attack.
Other than the flash plugin and mplayer, I did not find any trouble in installing all the software. It was only a matter of selecting the necessary software in synaptic and installing. You can also do it in the command line as follows:
$ sudo apt-get install fluxbox tomboy gnucash

Installing NVIDIA Graphics card drivers
First I installed the glx driver package as follows:
$ sudo apt-get install nvidia-glx
Then I had to enable the driver to be used by X server.
$ sudo nvidia-glx-config enable

Installing Flash plugin
At first I couldn't find the flash player package in synaptic. The problem solved by itself when I accessed a web page which contained a flash component. Firefox informed me that a plugin was missing which was needed to view the component and prompted me to install it by directing me to the macromedia website. And once I installed flash plugin for firefox, I was able to view the flash based websites.

Installing the compiler tools
I installed the compiler tools which contained among others, gcc 4.0 and g++ as follows:
$ sudo apt-get install build-essential
$ sudo apt-get install manpages-dev autoconf automake libtool
$ sudo apt-get install flex bison gcc-doc g++
Now I could easily compile a source package and install it if the need arises.

Installing mplayer

Here I had to do a little more work than above but not as much as you might think. First I downloaded the essential codecs from the mplayer website. It was a bzip2 compressed tar file which was around 9MB in size. I unpacked it and copied the contents into the directory /usr/lib/codecs .
$ tar xvjf essential-20050412.tar.bz2
$ cd essential-20050412
$ sudo mkdir -p /usr/lib/codecs
$ sudo cp -R ./* /usr/lib/codecs/.
Now that the codecs were installed, the next step was installation of mplayer itself. This was achieved with the simple command :
$ sudo apt-get install mplayer-586
$ sudo apt-get install mplayer-fonts
Support for playing encrypted DVDs - libdvdcss
If you want to play encrypted DVDs it is important to have the libdvdcss library installed on your machine. There is a very good site called ubuntuguide.org which lists a method of using apt-get to install this library. But some how, it did not work for me. I got the error message that this package is not available in the repository. So I had to use a more round about way to install this library on my machine.
  • First I downloaded the source file libdvdcss-1.2.8.tar.bz2 using wget from the videolan.org website.
  • Then I unpacked it in my home directory and then compiled and installed it in the /usr directory as follows:
    # tar -xvjf libdvdcss-1.2.8.tar.bz2
    # cd libdvdcss-1.2.8
    # ./configure --prefix=/usr; make; sudo make install
The installation went normally and I was able to play encrypted DVDs on ubuntu.

Housekeeping is a necessary bane for all OSes, whether it be windows, linux or OSX. In Linux, it is a little bit more work because of the licence restrictions imposed by the owners of the popular proprietary format files. But Ubuntu has done a good job of reducing this work as much as possible.

37 comments:

  • Ubuntu does NOT leave a system "wide open by default"

    As a matter of fact, Ubuntu has a "no open ports" policy by default. If you don't believe me, try running this on a fresh install of Ubuntu 5.10 (Breezy Badger Release):
    nmap -sV -O

    If you notice, nmap will tell you that 0 ports are open.

    The reason Ubuntu doesn't ship with a firewall is because 0 ports are open. Saying it is leaving the system open to attack is analogous to saying that an unlocked steel door welded shut is a security hazard. It isn't! Firestarter is a great iptables frontend, but please don't spread disinformation.

  • I also forgot to mention that ubuntu packages are available for libdvdcss and you don't have to compile them.

    libdvdcss2 : ftp://cipherfunk.org/pub/packages/ubuntu/pool/main/libd/libdvdcss/
    w32codecs : ftp://cipherfunk.org/pub/packages/ubuntu/pool/main/w/w32codecs/

  • Ubuntu infact ships with iptables and firestarter is only a front-end to it. I think the author of the post meant was that if you check the command
    # iptables -L

    It will show you that it has a default policy of ACCEPT for all INPUT, OUTPUT and FORWARD rules. Which makes it a security hazzard.

    And you couldn't know for sure that your ports are blocked. Not all people know about nmap. I didn't.

  • Josh

    Wow. This is a little off from your usual quality. Stating that Ubuntu is wide open by default is so wrong as to not even be funny.

    Maybe you should have taken a bit more time to get to know it some first. Just because there are no iptables rules defined deosn't mean its insecure.

  • Ravi

    @ anonymous and josh

    Thanks for pointing it out. I did not check if the ports are blocked or not. Since the ports are blocked by default, it makes Ubuntu secure.

    But I still feel, having a firewall helps a lot .

  • Thomas Jespersen

    Thanks for your guide.

    Here is a small howto install ATI drivers on Ubuntu:

    sudo apt-get install xorg-driver-fglrx
    sudo apt-get install linux-restricted-modules-$(uname -r)
    sudo dpkg-reconfigure xserver-xorg
    (select the fglrx driver)

    Ctrl+Alt+Backspace to restart desktop

    Confirm that it works:
    thomas@jespersen:~/Download$ fglrxinfo
    display: :0.0 screen: 0
    OpenGL vendor string: ATI Technologies Inc.
    OpenGL renderer string: RADEON X800 XL Generic
    OpenGL version string: 1.3.5272 (X4.3.0-8.16.20)

  • Annemarie

    Hey thanks for the guide. As a brand new linux user, I needed some guidance as to how to install the necessary stuff, as you said, flash, mp3 support, etc. Thanks!
    -Annemarie

  • In fact, there's an easy way to doing all that stuff without the CLI.

    http://ubuntuforums.org/forumdisplay.php?f=100

    Look at the Automatix and Easy Ubuntu threads.

    Thing is, I believe those should be promoted. Why? They make Linux "just work". Anything that does that is a good thing.

  • QDev

    Thanks for a great article.

    Also thanks to Thomas Jespersen for the ATI guide, Maybe now Tuxracer will run at more than 5 fps...

    Now where do I find the Counter Strike:Source for Ubuntu 5.10 guide? ;)

  • Hasan Bazerbashi

    Thanks for your guide.

    Your guide is for people who have Broadband at home!
    I wish if some body would make a guide for people who doesn't have broadband at home :( .... Like how to download the packages on disk or something and then deploy them later.

    Thanks.

  • Hopefully, I am not spreading falsehoods with the following.

    Ubuntu's ports being all closed (as shown by and assuming the correctness of nmap) means that no application or part of the operating system was listening for connections at the point in time nmap was run. This basically means the machine is just about unconnected from the network even if it is actually physically connected.

    All is not perfect (see below)
    but all is not lost either (see below again).

    If Ubuntu makes it easy for the user to start an application that listens on any interface except perhaps just the local one, then Ubuntu should configure iptables somewhat (i.e. activate firewall rules). [The "local" interface being open" means that local applications (but not those from outside the box) can prod your computer]

    However, it is very likely that the only things a newbie can start up are things that listen only on the local interface(s) (127.0.0.1 or even 127.x.x.x). In this case, the newbie is not likely to stumble near the edge of any cliff.

    [Note for newbie, it is generally considered safe to initiate a conversation with the outside world (eg, by having the browser fetch a webpage from the Internet). The user (you) are presumably controlling the dialogue and the protocols generally only become exploitable when the application is in "listening" mode. Listening mode is when your computer has some software on it running that is willing to respond to requests. Contrast initiating/reacting with listening: Accept www.linuxsomething.com/homepage.html because we asked for it, but don't display localhost/ourhomepage.html if asked unsolicited. Vs. display localhost/ourhomepage.html whenever asked, say we are John Public whenever asked, give up our address book whenever asked or if they pass some test (this last case may seem safe beacause we are asking that a test be passed successfully (eg, a password), but it is *less* safe than simply never giving it up no matter what. The stranger may actually pass our test by guessing, because of a bug (as is common on Windows), or because they cracked or overheard our secret password).]

    A more advanced user is a different story. He or she may want to use that computer to provide a webserver for the local network or use it as the chokepoint to the Internet for the local network (eg, use the computer to give the local network access to the outside via dsl, cable, or modem). This advanced usage, if it is in fact advanced and not likely to be accidently figured out by the newbie, is likely to be followed up by firewall activation, at least if the advanced user cares for it. [best case would still be that the "advanced" point and click or the manual instructions should direct the firewall to activate at such time. I haven't used Ubuntu enough to see just what it provides and how]

    I am not sure, but there are probably several programs that the newbie might want to use that are not completely safe (maybe Internet Messaging or play some game online or any of other possibilities). In this case though, there may be a limited amount that Ubuntu/Debian people can do. A tight firewall policy might be acceptable and expected at a place of business (in which case, the assumption is that a more experienced individual is setting things up), but at home, most users probably are willing to risk some in order to have fun (just look at all the people risking a lot every day using Windows).

    The good news, with all said and done, is that today (and probably tomorrow, too) naked Ubuntu is safer than MS Windows XP even with MS firewall up.


    ps. Firewall rules configured properly are always good because they offer a separate somewhat independent layer of protection over just having closed ports. Apps and the kernel contain bugs because programmers (humans) make mistakes. It is wise to practice *security in layers* (especially to be extra safe or even more especially if you are expecting an attack -- yikes).

  • This is a very good guide, but everyone should check out the Ubuntu Wiki's Restricted Formats section. It includes good instructions for most, if not all, of the restricted codec problems listed here.

    Check out the wiki page here:

    https://wiki.ubuntu.com/RestrictedFormats#head-cd84b8e23927ccdb4bb55ffd3074687abec0cf3b

  • Think carefully before installing flash. I couldn't believe how much more I enjoyed the internet when it wasn't pre-installed on ubuntu.

  • Hi,

    thanks for the article! I'm semi-newbie and know some stuff already, but found good pointers here.

    The unofficial Ubuntu Starter Guide was also pretty helpful, but it has not been updated for the current version. Hence, you have to do some quessing or query the package database.
    http://ubuntuguide.org/

    /H

  • Check out Automatix, it does all this and only one mouse click required :)

    http://ubuntuforums.org/forumdisplay.php?f=77

  • I prefer setting my iptables INPUT policy to DROP rather than ACCEPT or REJECT because instead of replying to a query with a "connection refused" it will simply drop the packets and not send anything back to the sender.

    If someone was to do a simple port scan on you, it would appear as if there is no computer there are all, rather than a computer rejecting everything coming at it.

    That said you are still not totally invisible. And just remember to set ESTABLISHED,RELATED connections on INPUT to ACCEPT so that services can reply to requests that YOU initiated, otherwise the internet wont be much fun at all ;)

  • Ravi: "Softwares" is not a word. The plural form is simply "software".

    "I had already prepared a list of the software I wanted..."

  • Not just the article is excellent, but also the comments. (except this one! :)
    Pretty useful. Thanx everyone.

  • Ralph

    if you want to learn more about iptables in the ubuntu wiki is a nice howto: https://wiki.ubuntu.com/IptablesHowTo?highlight=%28iptable%29

  • Firefox 1.5 installer script is quite useful.

    cheers,
    macewan

  • kOoLiNuS

    try out conqui (or it is conki ? i'm not @home now) to replace gkrellm or some gdesklets

  • Pretty much all of this information is on the RestrictedFormats page in Ubuntu's official wiki.

  • ".. default installation of Ubuntu leaves the system wide open...." This statement is blatantly False.
    The author should have investigated further before posting such misinformation.
    All ports are closed in the default installation.

  • But I still feel, having a firewall helps a lot .
    I could argue, that when there are no services listening on any ports, setting up a firewall actually increases the risk. By setting up iptables you add a component that can be reached from the network and potentially exploited, netfilter itself. When nothing is open the only exploitable resource is the kernel TCP/IP stack, once you add iptables rules you add a posibility to craft a packet to exploit iptables.

    As it was already pointed out, dvdcss doesn't have to be compiled. The dvdread library is installed by default and it comes with a shell script that will automagically download nad install a dvdcss package. Just run
    sudo /usr/share/doc/libdvdread3/examples/install-css.sh

    And finally there is an exelent guide on setting up ubuntu at Ubuntu Help site

  • Donncha

    GNUCash doesn't install properly in Breezy unfortunately. There's a problem with libofx2 which doesn't install properly :(

  • "I could argue, that when there are
    no services listening on any ports setting up a firewall actually increases the risk."

    Ok but without one closed ports would
    signal to the attacker he has a live one when doing remote scans he could launch a DOS attack against the guys connection and slow his bandwith to
    a crawl :( now that wouldn't be fun.

  • donncha,
    GNUCash installs without any problem in breezy. Try changing your repositories or adding new ones.

    It worked for me perfectly. I think the repositories given in this article above should work.

  • mikey

    Running iptables on a machine with no services is like putting a barbed wire fence around a bank with no money and nothing to steal. It makes everything inconvenient in order to "solve" a non-problem.

    And the idea that closed ports will let an evil attacker find your machine in order to DoS it is just silly. If you can't handle that level of risk, you can't afford to have a computer in your house.

  • Donncha

    I looked into the GNUcash problem again. I upgraded from Hoary where that application used and earlier libofx. You have to remove that version to use the new libofx! I've included instructions in my upgrading ubuntu post.
    Thanks for mentioning GNUCash, I might not have tried to get it working so soon if you hadn't :)

  • Ubuntu certainly bundles compiler on the cd. On a fresh install, after GDM starts, login, and do "apt-get install build-essential". You will notice that 0 bytes need to be downloaded, which shows the the compiler already are present in /var/cache/apt/archives...

    Rohan.
    rohandhruva AT gmail DOT com

  • Great article but i could not run command
    sudo cp -R ./* /usr/lib/codecs/.

    I get this message:
    /tmp/essential-20050412# sudo cp -R ./* /usr/lib/codecs/.
    cp: `/usr/lib/codecs/.': specified destination directory does not exist
    Try `cp --help' for more information.

  • @ anonymous above

    You have to create the directories first. try executing the following command prior to using cp.

    # mkdir -p /usr/lib/codecs

  • Thank you thank you!

    I've tried many other so-called multimedia "installs" for ubuntu on other web sites but none of them worked: they didn't have the correct repositories, didn't mention installing gcc, etc..etc....

    Great Job!!!

  • check out Automatix. Its got a GUI, and installs basically all non free codecs and libdvdcss2, mplayer plugins for firefox, java, flash, and much more. Search Automatix in the Ubuntu Forums.

  • Ubuntu does not includes a startup script for iptables, nor do I see any sort of gui front-end to it anywhere in the menus. This is very shortsighted, because most users will need network services: samba, NFS, cups, to name just a few common examples. The default install is OK, but actually going out of their way to cripple iptables (all other Linux distros come with iptables startup scripts) is very short-sighted.

  • I'm very new to Ubuntu. I've managed to install GNUCash but the fonts and stuff is different to the rest of the OS and other application. What gives and how to fix??

  • a bit misleading. ports r closed on feisty and dapper.

    firestarter is a good start
    get-apt install firestarter

    guarddog is also
    apt-get install guarddog

    lokkit is included
    apt-get install lokkit

    this is assuming u r sudo. if not sudo get-apt...

    'firewall' on feisty isnt really needed since ports r closed on the backend but the front end coverage is nice especially for multiusers
    also good for users using klibido

    wont help with kernel tcp/ip attack all that much but then again if they want to get in they will for the most part. just dont make it worth their time is the best bet.

    install tripwire, pitfall, or snoot for xtras but really is it all that necessary - maybe a bit paranoid at this point...

    bunch of other stuff out there but the more you add the more possibilities exist to find a gap