Setting Up an sftp Site on Amazon Web Services EC2, and a Guest Account

(Original/copy post  from, and and adapted a little bit.

This consists of three parts:

  • setting up an sftp site on EC2
  • creating a new user account
  • configuring the new user account to do read-only ftp, with no ssh privileges

This is intended for transferring files to and from trusted users. I use this as an adequate solution for occasionally sending very large files to clients, using an EC2 instance dedicated to that task. After the transfer is complete, I shut down or delete the instance.

Set up a server using Amazon Web Services EC2, choosing an Ubuntu Amazon Machine Image (AMI). (You can find an AMI using You may want to choose one that’s free tier eligible, such as ami-1aad5273)

ssh into the server:

ssh -i keyfile.pem [email protected]

Install vsftpd:

sudo apt-get install vsftpd

Create a new user:

sudo adduser newusername

Using the AWS Management Console, generate a new key pair for the third-party user.

On Linux, you can generate the public and private keys with the following command on your own local system:

ssh-keygen -b 1024 -f newusername -t dsa

On the server, create the .ssh directory for the new user:

sudo mkdir /home/newusername/.ssh

Paste the public key into /home/newusername/.ssh/authorized_keys.

Set permissions:

sudo chmod 700 /home/newusername/.ssh

sudo chmod 600 /home/newusername/.ssh/authorized_keys

sudo chown -R newusername:newusername /home/newusername/.ssh

Test the new user’s sftp login from your local machine:

sftp -o IdentityFile=newkeypair1.pem [email protected]

Make a new group for users who should be limited to using only sftp:

sudo groupadd sftponly

sudo adduser newusername sftponly

Edit /etc/ssh/sshd_config and change the Subsystem line to:

Subsystem sftp internal-sftp

and add these lines to the end of /etc/ssh/sshd_config:

Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Set permissions, without clobbering files necessary for EC2’s key-based authentication (only download):

sudo chown root:root /home/newusername

To deny SSH shell access, run the following command:

sudo usermod newusername /bin/false

If you want permit uploads use the command below.

sudo chown newusername:newusername /home/newusername


sudo chown -R newusername:newusername /home/newusername/.ssh

sudo /etc/init.d/ssh restart

Now the new user can connect by sftp, but not by ssh. Place the files you want to share in /home/newusername, and share the key with the user or upload your files.

Linux Increase Networking Performance Tuning Network Stack (Buffers Size)

Starting a Stress Test to improve performance, I reach some limits when the system was under intense fire up. By default the Linux network stack is not configured for high speed large file transfer across WAN links. This is done to save memory resources. You can easily tune Linux network stack by increasing network buffers size for high-speed networks that connect server systems to handle more network packets.

The default maximum Linux TCP buffer sizes are way too small. TCP memory is calculated automatically based on system memory; you can find the actual values by typing the following commands:

The default and maximum amount for the receive socket memory:

The default and maximum amount for the send socket memory:

The maximum amount of option memory buffers:

 Tuning the Values

Set the max OS send buffer size (wmem) and receive buffer size (rmem) to 12 MB for queues on all protocols. In other words set the amount of memory that is allocated for each TCP socket when it is opened or created while transferring files:

WARNING! The default value of rmem_max and wmem_max is about 128 KB in most Linux distributions, which may be enough for a low-latency general purpose network environment or for apps such as DNS / Web server. However, if the latency is large, the default size might be too small. Please note that the following settings going to increase memory usage on your server.

Now, as root user…

You also need to set minimum size, initial size, and maximum size in bytes:

Turn on window scaling which can be an option to enlarge the transfer window:

Enable timestamps as defined in RFC1323:

Enable select acknowledgments:

By default, TCP saves various connection metrics in the route cache when the connection closes, so that connections established in the near future can use these to set initial conditions. Usually, this increases overall performance, but may sometimes cause performance degradation. If set, TCP will not cache metrics on closing connections.

Set maximum number of packets, queued on the INPUT side, when the interface receives packets faster than kernel can process them.

Now reload the changes:

Use tcpdump to view changes for eth0, eth1 or wlan0, or…

See the results, enjoy it!





Mark Shuttleworth quer dar um fim na ACPI na próxima geração de hardware

A ACPI é uma herança do final do século XX, quando chegou para suceder padrões mais limitados, como o APM, ou mais complicados de fazer funcionar (especialmente no Linux), como a especificação Plug and Play BIOS. Com a ACPI, passou a ser possível definir interfaces gerais (independentes de plataforma) para acesso a itens do sistema como a enumeração e configuração de hardware, o gerenciamento de energia (que antes ficava por conta do BIOS, e não do sistema operacional) e o monitoramento.

Mas Mark Shuttleworth, o fundador da Canonical, publicou sua preocupação com o fato de que – além de muitas vezes terem qualidade de software duvidosa – os firmwares dos fabricantes para suportar a ACPI podem, voluntariamente ou não, servir como vetor de ataque “invisível” à privacidade dos usuários, pela NSA e entidades assemelhadas.

A solução que ele aventa não é nada simples: convencer os fabricantes de hardware a disponibilizarem os drivers para suas inovações sempre na forma de código open source para uso no Linux, e mudar o padrão do firmware para um modelo declarativo, puramente descritivo, sem execução de código. (via – “Shuttleworth: ACPI, firmware and your security []”)

How to get Netflix streaming on Ubuntu 12.10

Very Interesting post!

December 10, 2012, 7:00 AM PST

Takeaway: It’s taken quite some time, but Netflix streaming video has finally arrived on the Ubuntu Linux desktop. In this easy, step-by-step, Jack Wallen shows you how.


In one of my recent blog posts, I mentioned that Netflix streaming was now available for the Ubuntu 12.10 desktop. I’ve used it — it works like a champ. Any title in your Netflix library will play and play as expected. This means, for Linux users, no more having to depend upon streaming devices or watching Netflix on your WII or PS3. Now you too can enjoy Netflix as was promised long ago by the company itself.This Netflix app is due to the hard work of programmer extraordinaire, Erich Hoover. With the help of WINEFirefox, and Silverlight, Hoover was able to make this happen. Obviously, FOSS purists will turn their nose up at two things:

  • Silverlight
  • DRM

But, if you want streaming Netflix on your Linux desktop… you’ve no choice. When it comes to Hollywood, DRM is not going anywhere… ever.

The installation of Netflix on Ubuntu isn’t hard. In fact, it’s quite easy. It does, however, take some time.


Before you tackle this task, make sure your machine is fully updated. You can either do this from the update manager or from the command line. If from the command line, do the following:

  1. Open a terminal window
  2. Issue the command sudo apt-get update
  3. Enter your sudo password
  4. Once the update completes, issue the command sudo apt-get upgrade
  5. Accept the updates
  6. If prompted (in case of a kernel upgrade), reboot the machine

Now that your machine is fully prepped, it’s time to install the Netflix Desktop app. Here are the steps:

  1. Open up a terminal window
  2. Issue the command sudo apt-add-repository ppa:ehoover/compholio
  3. Hit Enter
  4. Issue the command sudo apt-get update
  5. Issue the command sudo apt-get install netflix-desktop

At this point you will see quite a large number of dependencies necessary for the installation (129 to be exact). Say OK to this and the installation will begin. Depending upon the speed of your network connection, this could take some time. Once that’s done, do the following:

  1. Open the Unity Dash
  2. Type netflix
  3. Click Install on the Wine Mono Installer (this is necessary for .NET)
  4. Click Install on the Wine Gecko Installer (this is necessary for embedded HTML to work properly)
  5. If you get an error, OK the error (I had this same thing happen on two machines — everything worked fine anyway)
  6. Allow the local installation to complete

At this point the Netflix Desktop application will open in full screen mode. To get out of that mode, hit F11. You will also find a new Firefox icon on your desktop. You can delete that if you like.

That’s it. You are now ready to enjoy streaming Netflix on your Ubuntu Linux desktop.



Install Classic Menu Indicator in Ubuntu 12.04

The classic menu indicator is now available to Ubuntu 12.04 LTS Precise Pangolin and the earlier releases Oneiric and Natty as well. It will add a quite similar Gnome classic menu with sub menus for applications and system settings menus. Install Classic Menu Indicator in Ubuntu 12.04 Precise Pangolin/11.10 Oneiric/11.04 Natty

Classic Menu

Installation of Classic Indicator, open Terminal and enter following commands:

Now Press Alt+F2 and enter following command to start indicator:

© 2017 Ziben IT Solutions

Theme by Anders NorénUp ↑