Archive

Archive for the ‘Linux’ Category

Mail queue management – Postfix

January 12, 2012 Leave a comment

Using qshape :-

ftp://ftp.kfki.hu/pub/packages/mail/postfix/experimental/postfix-2.2-20050222-newdb-nonprod/auxiliary/qshape/qshape.pl

For example, in the output below we see the top 10 lines of the (mostly forged) sender domain distribution for captured spam in the “hold” queue:

$ qshape -s hold | head
                         T  5 10 20 40 80 160 320 640 1280 1280+
                 TOTAL 486  0  0  1  0  0   2   4  20   40   419
             yahoo.com  14  0  0  1  0  0   0   0   1    0    12
  extremepricecuts.net  13  0  0  0  0  0   0   0   2    0    11
        ms35.hinet.net  12  0  0  0  0  0   0   0   0    1    11
      winnersdaily.net  12  0  0  0  0  0   0   0   2    0    10
           hotmail.com  11  0  0  0  0  0   0   0   0    1    10
           worldnet.fr   6  0  0  0  0  0   0   0   0    0     6
        ms41.hinet.net   6  0  0  0  0  0   0   0   0    0     6
                osn.de   5  0  0  0  0  0   1   0   0    0     4

If one looks at the two queues separately, the incoming queue is empty or perhaps briefly has one or two messages, while the active queue holds more messages and for a somewhat longer time:

$ qshape incoming

                 T  5 10 20 40 80 160 320 640 1280 1280+
          TOTAL  0  0  0  0  0  0   0   0   0    0     0

$ qshape active

                 T  5 10 20 40 80 160 320 640 1280 1280+
          TOTAL  5  0  0  0  1  0   0   0   1    1     2
  meri.uwasa.fi  5  0  0  0  1  0   0   0   1    1     2

This is from a server where recipient validation is not yet available for some of the hosted domains. Dictionary attacks on the unvalidated domains result in bounce backscatter. The bounces dominate the queue, but with proper tuning they do not saturate the incoming or active queues. The high volume of deferred mail is not a direct cause for alarm.

$ qshape deferred | head

                         T  5 10 20 40 80 160 320 640 1280 1280+
                TOTAL 2234  4  2  5  9 31  57 108 201  464  1353
  heyhihellothere.com  207  0  0  1  1  6   6   8  25   68    92
  pleazerzoneprod.com  105  0  0  0  0  0   0   0   5   44    56
       groups.msn.com   63  2  1  2  4  4  14  14  14    8     0
    orion.toppoint.de   49  0  0  0  1  0   2   4   3   16    23
          kali.com.cn   46  0  0  0  0  1   0   2   6   12    25
        meri.uwasa.fi   44  0  0  0  0  1   0   2   8   11    22
    gjr.paknet.com.pk   43  1  0  0  1  1   3   3   6   12    16
 aristotle.algonet.se   41  0  0  0  0  0   1   2  11   12    15

Important commands :-

  • Print queue: postqueue -p
  • Delete all messages from the queue: postsuper -d ALL
  • Read a message: postcat -q <queue file id>
  • See what shape the queue is in: qshape

Release messages from hold

mailq | awk '{if($1 ~ /[A-F0-9]+!$/) {gsub(/!/, "", $1); print($1); system(sprintf("postsuper -H%s", $1)); } }'
postqueue -f

Requeue hold messages to force delivery

mailq | awk '{if($1 ~ /[A-F0-9]+!$/) {gsub(/!/, "", $1); print($1); system(sprintf("postsuper -H%s", $1)); } }'

Flush the queue

postqueue -f

Clean all MAILER-DAEMON error messages

 

Normal Messages

mailq | tail +2 | awk '{ if ($7 == "MAILER-DAEMON") print $1 } ' | postsuper -d -

for me mailq returns the message id with a trailing ! so I use:

mailq | awk '{ if ($7 == "MAILER-DAEMON") print substr ($1, 1, length($1)-1) } ' | postsuper -d -

 

Messages with errors

mailq | grep MAILER-DAEMON |  sed -e 's/!$//' | cut -d " " -f 1 | postsuper -d -

or

mailq | tail +2 | awk '{ if ($7 == "MAILER-DAEMON") print $1 } ' | sed -e 's/!$//' | postsuper -d -

If you want to delete messages with the ! sign on the end, use

mailq | tail +2 | awk '{ if ($7 == "MAILER-DAEMON") print $1 } ' | cut -d! -f 1 | postsuper -d -

If you want to delete messages with the * sign on the end, use

mailq | tail +2 | awk '{ if ($7 == "MAILER-DAEMON") print $1 } ' | cut -d* -f 1 | postsuper -d -

 

NOTE

Sometimes, you may need to omit the

tail +2

courtesy :

http://maia.deec.uc.pt/Computers/Operating_Systems/Linux/Servers/Mail/Postfix/Postfix_Queue_Man

Categories: Linux, plesk, Postfix Tags:

ffmpeg-php error

January 12, 2012 1 comment

While compiling ffmpeg-php:-

Error: /usr/src/ffmpeg-php-0.6.0/ffmpeg_frame.c: In function ‘zif_ffmpeg_frame_toGDImage’: /usr/src/ffmpeg-php-0.6.0/ffmpeg_frame.c:336: error: ‘PIX_FMT_RGBA32′ undeclared (first use in this function) /usr/src/ffmpeg-php-0.6.0/ffmpeg_frame.c:336: error: (Each undeclared identifier is reported only once /usr/src/ffmpeg-php-0.6.0/ffmpeg_frame.c:336: error: for each function it appears in.) /usr/src/ffmpeg-php-0.6.0/ffmpeg_frame.c: In function ‘zif_ffmpeg_frame_ffmpeg_frame’: /usr/src/ffmpeg-php-0.6.0/ffmpeg_frame.c:421: error: ‘PIX_FMT_RGBA32′ undeclared (first use in this function)

————————————————————————————–

Fix: With the latest version of ffmpeg-php (0.6.0), update ffmpeg_frame.c and replace every instance of PIX_FMT_RGBA32 with PIX_FMT_RGB32

vi ffmpeg_frame.c

:%s/PIX_FMT_RGBA32/PIX_FMT_RGB32

:w :q!

./configure make make install add extension=”ffmpeg.so” inside php.ini .

Categories: centos, cPanel, Linux Tags:

TCP WRAPPER Services

January 11, 2012 Leave a comment

Services which contain libwrap module can use hosts.deny to control Access
ldd  /usr/sbin/vsftpd    |grep libwrap
ldd  /usr/sbin/sendmail  |grep libwrap
ldd  /usr/sbin/sshd      |grep libwrap

To Restrict a host/network  to control access to a Service.

1.  Using Hostname/Domainname
vim /etc/hosts.deny
vsftpd  .example.com                     ->All hosts in example.com domain denied to access ftp
vsftpd  server.example.com                ->Host server in example.com denied to access

2.  Using  Ipaddress/Network
vim /etc/hosts.deny
vsftpd  192.168.1.0/255.255.255.0         ->All hosts in 1.0 N/W denied.
vsftpd  192.168.1.4                       ->Host 1.4 denied.

3.  To  Deny all Except few
vim /etc/hosts.deny
sshd: ALL  EXCEPT   matrix.com            ->Any domain other than matrix.com are denied the Access to ssh.

4. To  Allow all Except few
vim /etc/hosts.allow
ALL:  .example.com  EXCEPT  cracker.example.com  ->All example.com hosts are allowed to connect to all services except cracker.example.com.

Both entries allow/deny can be given in either hosts.allow or hosts.deny file

Categories: centos, freebsd, Linux Tags:

Configure a Linux-HA high avaliability heartbeat cluster

December 23, 2011 1 comment

In this example we will configure a webserver using apache and we will cluster it. It can be implemented on centos, fedora and other redhat flavors.

Pre-Configuration Requirements

Following are the hostnames and ipv4 addresses that will be used:

  • 192.168.1.15 prime ( webserver)
  • 192.168.1.16 calc (webserver)
  • 192.168.1.20 sigma (ha address)

Configuration

1. Download and install the heartbeat package. In our case we are using CentOS so we will install heartbeat with yum:

yum install heartbeat

or download these packages:

heartbeat-2.08
heartbeat-pils-2.08
heartbeat-stonith-2.08

2. Now we have to configure heartbeat on our two node cluster. We will deal with three files. These are:

  1. /etc/ha.d/ha.cf: protocol, server options and servers.
  2. /etc/ha.d/authkeys: shared keysfile
  3. /etc/ha.d/resources: resource definitions

ha.cf

For the example setup the ha.cf file looks like the following:

debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility     local0
keepalive 2
deadtime 10
udpport 694
bcast     eth0
node    prime
node    calc
auto_failback on

The above options are pretty straightforward; where the debuglog is, logfile, what level, tcp keepalive in seconds, deadtime in between in seconds, what udp port, what interface to broadcast on then the nodes in the cluster.

authkeys

The documentation explains the various options but for this example we are using sha1 algorithm:

#vi authkeys
edit as follows
auth 2
#1 crc
2 sha1 test-ha
#3 md5 Hello!

Also the authkeys file must be read only root:

chmod 0600 authkeys

haresources

The resources file dictates the shared address and services in init to startup (or shutdown as the case may be):

prime 192.168.1.20 apache2

The starting or primary server is put as the first argument. Now the the configuration is done on the primary server – the exact same settings can be used on the secondary one.

 Copy the /etc/ha.d/ directory from node01 to node02:

scp -r /etc/ha.d/ root@calc:/etc/

3.  Now exchange and save authorized keys between node1 and node2.
Key exchange:

On node1:

Generate the key:

[root@prime ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
9f:5d:47:6b:2a:2e:c8:3e:ee:8a:c2:28:5c:ad:57:79 root@prime

Pass the key to node2:
[root@prime ~]# scp .ssh/id_dsa.pub calc:/root/.ssh/authorized_keys

On node2:

Generate the key:

[root@calc ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
40:66:t8:bd:ac:bf:68:38:22:60:d8:9f:18:7d:94:21 root@calc

Pass the key to node1:
[root@calc ~]# scp .ssh/id_dsa.pub prime:/root/.ssh/authorized_keys

NOTE: We don’t need to create a virtual network interface and assign an IP address (192.168.1.20) to it. Heartbeat will do this for you, and start the service (httpd) itself. So don’t worry about this.

4. A basic apache server for the test is required as well:

 #yum install httpd*

To illustrate the test, a simple page on each webserver with its hostname can be used and put into /var/www/html/index.html:

<html><head></head<body>prime</body></html>
<html><head></head<body>calc</body></html>

Next – startup and set to start at boot the webservers (run on both systems):

service apache2 start
chkconfig apache2 on

Now time to test the systems separately with lynx --dump:

# lynx --dump prime
   prime

# lynx --dump calc
   calc

5. On both nodes:

#vi /etc/httpd/conf/httpd.conf
 Listen 192.168.1.20:80

Firing it Up

Starting up is pretty simple:

# chkconfig heartbeat on
# service heartbeat start
Starting High-Availability services2009/07/25_21:04:30 INFO:  \
        Resource is stopped
heartbeat[4071]: 2009/07/25_21:04:30 info: Version 2 support: false
heartbeat[4071]: 2009/07/25_21:04:30 info: **************************
heartbeat[4071]: 2009/07/25_21:04:30 info: \
        Configuration validated. Starting heartbeat 2.99.3

Now a litmus test of the shared address:

#  lynx --dump 192.168.1.20
   prime

Testing

Testing can be a little tricky – the simplest way is to stop the heartbeat service on the active node and let the other one take over, observe the log entries on the calc node:

IPaddr[5106]:   2009/07/25_21:32:55 INFO: eval \
        ifconfig eth0:0 192.168.1.20 netmask 255.255.255.0 broadcast 192.168.1.255
IPaddr[5089]:   2009/07/25_21:32:55 INFO:  Success
ResourceManager[5006]:  2009/07/25_21:32:55 \
        info: Running /etc/init.d/apache2  start
mach_down[4980]:        2009/07/25_21:32:58 info: \
        mach_down takeover complete for node prime.
heartbeat[4241]: 2009/07/25_21:33:05 WARN: node prime: is dead
heartbeat[4241]: 2009/07/25_21:33:05 info: Dead node prime gave up resources.
heartbeat[4241]: 2009/07/25_21:33:05 info: Resources being acquired from prime.
heartbeat[4241]: 2009/07/25_21:33:05 info: Link prime:eth0 dead.
harc[5258]:     2009/07/25_21:33:06 info: Running /etc/ha.d/rc.d/status status
heartbeat[5259]: 2009/07/25_21:33:06 info: \
        No local resources [/usr/share/heartbeat/ResourceManager \
        listkeys calc] to acquire.
mach_down[5287]:        2009/07/25_21:33:06 info: \
        Taking over resource group 192.168.1.20
ResourceManager[5313]:  2009/07/25_21:33:06 \
        info: Acquiring resource group: prime 192.168.1.20 apache2
IPaddr[5340]:   2009/07/25_21:33:06 INFO:  Running OK
mach_down[5287]:        2009/07/25_21:33:07 \
        info: mach_down takeover complete for node prime.

And a quick check with lynx:

#  lynx --dump 192.168.1.20
   calc

Note that once prime is back online that calc gives control back:

ResourceManager[5515]:  2009/07/25_21:33:43 info: \
        Releasing resource group: prime 192.168.1.20 apache2
ResourceManager[5515]:  2009/07/25_21:33:43 info: \
        Running /etc/init.d/apache2  stop
ResourceManager[5515]:  2009/07/25_21:33:44 info: \
        Running /etc/ha.d/resource.d/IPaddr 192.168.1.20 stop
IPaddr[5592]:   2009/07/25_21:33:44 INFO: ifconfig eth0:0 down
IPaddr[5575]:   2009/07/25_21:33:44 INFO:  Success

Don’t use the IP addresses 192.168.1.15 and 192.168.1.16 for services. These addresses are used by heartbeat for communication between node01 and node02. When any of them will be used for services/resources, it will disturb hearbeat and will not work. Be carefull!!!

Categories: centos, Linux Tags: , , , ,

Recover Deleted Linux Files With lsof

December 3, 2011 Leave a comment

To try this out, create a test text file, save it and then type less deleted.txt. Open another terminal window, and type rm -f deleted.txt. If you try ls deleted.txt you’ll get an error message.

But less still has a reference to the file.:

> lsof | grep testing.txt
less	4607	nithins 4r  REG 254,4   21
           8880214 /home/nithins/deleted.txt (deleted)

Take the PID of  the process, second column  that has the file open (4607), and the fourth one, which gives you the file descriptor (4). Now, look in /proc, and there you will see  a reference to this inode, from which we can copy the file back:

> ls -l /proc/4607/fd/4
lr-x------ 1 nithins nithins 32 Apr  18 02:59
             /proc/4607/fd/4 -> /home/nithins/deleted.txt (deleted)
> cp /proc/4607/fd/4 deleted.txt.bak

Note: don’t use the -a flag with cp, as this will copy the (broken) symbolic link, rather than the actual file contents.

In the same way you can recover apache files (config/log) from the parent process PID if it was deleted accidently.  Try out..!

Now,

Categories: Linux Tags: , , ,

OpenSSH Server Best Security Practices

January 12, 2011 Leave a comment

Default Config Files and SSH Port

  • /etc/ssh/sshd_config – OpenSSH server configuration file.
  • /etc/ssh/ssh_config – OpenSSH client configuration file.
  • ~/.ssh/ – Users ssh configuration directory.
  • ~/.ssh/authorized_keys or ~/.ssh/authorized_keys – Lists the public keys (RSA or DSA) that can be used to log into the user’s account
  • /etc/nologin – If this file exists, sshd refuses to let anyone except root log in.
  • /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
  • SSH default port : TCP 22

Only Use SSH Protocol 2

SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:

Protocol 2

Limit Users’ SSH Access

By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn’t in AllowUsers.

Only allow root, sunny and sumi user to use the system via SSH, add the following to sshd_config:

AllowUsers root sumi sunny

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers suraj anuja foo

Configure Idle Log Out Timeout Interval

User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:

ClientAliveInterval 300

ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).

Disable Host-Based Authentication

To disable host-based authentication, update sshd_config with the following option:

HostbasedAuthentication no

Disable root Login via SSH

There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:

PermitRootLogin no

Firewall SSH Port # 22

You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.

Netfilter (Iptables) Configuration

Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT

If you’ve dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:

 -A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT

Replace ipv6network::/ipv6mask with actual IPv6 ranges.

*BSD PF Firewall Configuration

If you are using PF firewall update /etc/pf.conf as follows:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

Change SSH Port and Limit IP Binding

By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:

Port 300
ListenAddress 192.168.1.5
ListenAddress 202.54.1.5

Use Public Key Based Authentication

Use public/private key pair with password protection for the private key. See how to use RSA and DSA key based authentication. Never ever use passphrase free key (passphrase key less) login.

Use Keychain Based Authentication

keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use keychain software.

Chroot SSHD (Lock Down Users To Their Home Directories)

http://www.debian-administration.org/articles/590

Use TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 :

sshd : 192.168.1.2 172.16.23.12

Disable Empty Passwords

You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:

PermitEmptyPasswords no

Thwart SSH Crackers (Brute Force Attack)

Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:

  • DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
  • Explains how to setup DenyHosts under RHEL / Fedora and CentOS Linux.
  • Fail2ban is a similar program that prevents brute force attacks against SSH.
  • security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf.
  • security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw.
  • security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter.
  • security/sshblock block abusive SSH login attempts.
  • security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
  • BlockHosts Automatic blocking of abusive IP hosts.
  • Blacklist Get rid of those bruteforce attempts.
  • Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.
  • IPQ BDB filter May be considered as a fail2ban lite.

Rate-limit Incoming Port # 22 Connections

Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.

Iptables Example

The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:

#!/bin/bash

inet_if=eth1 ssh_port=22

$IPT -I INPUT -p tcp –dport ${ssh_port} -i ${inet_if} -m state –state NEW -m recent —set

$IPT -I INPUT -p tcp –dport ${ssh_port} -i ${inet_if} -m state –state NEW -m recent –update –seconds 60 –hitcount 5 -j DROP

Call above script from your iptables scripts. Another config option:

$IPT -A INPUT -i ${inet_if} -p tcp –dport ${ssh_port} -m state –state NEW -m limit –limit 3/min –limit-burst 3 -j ACCEPT

$IPT -A INPUT -i ${inet_if} -p tcp –dport ${ssh_port} -m state –state ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -o ${inet_if} -p tcp –sport ${ssh_port} -m state –state ESTABLISHED -j ACCEPT

# another one line example

# $IPT -A INPUT -i ${inet_if} -m state –state NEW,ESTABLISHED,RELATED -p tcp –dport 22 -m limit –limit 5/minute –limit-burst 5-j ACCEPT

See iptables man page for more details.

*BSD PF Example

The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.

sshd_server_ip=“202.54.1.5” table <abusive_ips> persist block in quick from <abusive_ips> pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload <abusive_ips> flush)

Use Port Knocking

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:

$IPT -N stage1 $IPT -A stage1 -m recent –remove –name knock $IPT -A stage1 -p tcp –dport 3456 -m recent —set –name knock2   $IPT -N stage2 $IPT -A stage2 -m recent –remove –name knock2 $IPT -A stage2 -p tcp –dport 2345 -m recent —set –name heaven   $IPT -N door $IPT -A door -m recent –rcheck –seconds 5 –name knock2 -j stage2 $IPT -A door -m recent –rcheck –seconds 5 –name knock -j stage1 $IPT -A door -p tcp –dport 1234 -m recent —set –name knock   $IPT -A INPUT -m –state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp –dport 22 -m recent –rcheck –seconds 5 –name heaven -j ACCEPT $IPT -A INPUT -p tcp –syn -j doo

  • fwknop is an implementation that combines port knocking and passive OS fingerprinting.
  • Multiple-port knocking Netfilter/IPtables only implementation.

Use Log Analyzer

Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:

LogLevel INFO

Patch OpenSSH and Operating Systems

It is recommended that you use tools such as yum, apt-get, freebsd-update and others to keep systems up to date with the latest security patches.

Limit Users’ SSH Access

By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn’t in AllowUsers.

Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:

AllowUsers root vivek jerry

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers saroj anjali foo

You can also configure Linux PAM allows or deny login via the sshd server. You can allow list of group name to access or deny access to the ssh.

Categories: Linux, Uncategorized

How to use parted for creating patition larger that 2 TB

January 12, 2011 Leave a comment

To create partitions larger than 2TB we need to use GPT labels. Standard fdisk doesn’t understand GPT labels so we need to use parted.

Here we are going to partition the disk /dev/sdb

root@localhost ~> parted /dev/sdb

This will bring up parted.  Type help to view the commands in parted prompt.

(parted) help
check NUMBER                             do a simple check on the file system
cp [FROM-DEVICE] FROM-NUMBER TO-NUMBER   copy file system to another partition
help [COMMAND]                           prints general help, or help on COMMAND
mklabel,mktable LABEL-TYPE               create a new disklabel (partition table)
mkfs NUMBER FS-TYPE                      make a FS-TYPE file system on partititon NUMBER
mkpart PART-TYPE [FS-TYPE] START END     make a partition
mkpartfs PART-TYPE FS-TYPE START END     make a partition with a file system
move NUMBER START END                    move partition NUMBER
name NUMBER NAME                         name partition NUMBER as NAME
print [free|NUMBER|all]                  display the partition table, a partition, or all devices
quit                                     exit program
rescue START END                         rescue a lost partition near START and END
resize NUMBER START END                  resize partition NUMBER and its file system
rm NUMBER                                delete partition NUMBER
select DEVICE                            choose the device to edit
set NUMBER FLAG STATE                    change the FLAG on partition NUMBER
toggle [NUMBER [FLAG]]                   toggle the state of FLAG on partition NUMBER
unit UNIT                                set the default unit to UNIT
version                                  displays the current version of GNU Parted and copyright information

root@localhost ~> parted /dev/sdb
GNU Parted 1.8.1
Using /dev/sdb
Welcome to GNU Parted! Type ‘help’ to view a list of commands.
(parted)

To change the label to gpt we run the following command:

(parted) mklabel gpt

Next run the print command: This will list the disk geometry. Please note the size listed:

(parted) print

Model: Adaptec raid5-1 (scsi)
Disk /dev/sdb: 10.7TB
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start   End     Size    File system  Name     Flags

This will tell us where to start and end the partitions. To create one huge partition ( 8 Tb = 8388608 bytes) run the following commands:

(parted) mkpart primary 0 8388607.000

The command reads as make a primary partition, start at 0 and end at 8388607.000

Also, if you are making a partition for a device smaller than the limit from the notes below, you can use the following if the geometry doesn’t show like it does above. Just exit out of parted, and run this from a shell:

root@localhost ~> parted -s — /dev/sdb  mkpart primary ext3 0 -1

This will take the whole disk for creating the partition.

The parition has been created and now you can quit parted:
(parted) quit

Now all that has to be done is to format the partition:(the -m swith tells mkfs to only reserve 1% of the blocks for the super block)

root@localhost ~> mkfs.ext3 -m1 /dev/sdb1
mke2fs 1.39 (29-May-2006)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
1024000000 inodes, 2047999751 blocks
20479997 blocks (1.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
62500 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000, 214990848, 512000000, 550731776, 644972544, 1934917632

Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 38 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

Mount the disk

root@localhost ~> mount /dev/sdb1 /disk1

root@localhost ~> df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3             240G  2.3G  225G   2% /
/dev/sda1             996M   45M  900M   5% /boot
tmpfs                 2.0G     0  2.0G   0% /dev/shm
/dev/sdb1             7.6T  177M  7.5T   1% /disk1

Now edit /etc/fstab to mount the partiton automatically on boot.

root@localhost ~>vi /etc/fstab

Add the following  line  in /etc/fstab

/dev/sdb1     /disk1   ext3    defaults        0 0

 

Categories: Linux, tech Tags: