SSH
Howto: Allowing SFTP access while chrooting the user and denying shell access.
Usually SFTP will allow a system user to access their home directory to upload and download files with their account. The SFTP user can navigate anywhere in the server some times can download files it will produce security vulnerability.
The Chroot for SFTP will be denied to access the rest of the system as they will be chrooted to the user home directory. Thus users will not be able to snoop around the system to /etc or application directories. User login to a shell account will also be denied.
I the below procedures will allowed me to enable SFTP security,
1, Add a new group
2, Create a Chroot dir for launch the logins, which should owned by root
3, Modify sftp-internal for forcing chroot dir
4, reload the configuration
Steps :
Create Chroot launch directory with other have no previlege
mkdir /opt/chroot chown root:root /opt/chroot chmod 700 /opt/chroot
Create a common group for the chrooted users , SSH rule will work for the group
groupadd sftpgroup useradd -g sftpgroup -s /sbin/nologin -d /opt/chroot/planetuser planetuser passwd planetuser
Modify ssh configuration
vi /etc/ssh/sshd_config
Comment the general sftp subsubsystem and add new rule
#Subsystem sftp /usr/lib/openssh/sftp-server #Add the line Subsystem sftp internal-sftp # Rules for sftp group Match group sftpgroup ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Then restart SSH service
service sshd restart
Howto: Setup and Secure Linux SSH Logins to use Private PEM Keys
One of the most secure way to connect ssh from public is through private Key, the key authentication mechanism won’t allow the attackers to make stress to the ssh service even it won’t allow DDOS or brute force attacks. This is default login type for Amazon EC2 servers, is providing single key for the default user we can add multiple according to the requirement.
Here My requirement is, create a new user and allow the user to login with different key so the user will launch to it own home dir and limited to the privilege. I followed the below steps to create key pair
1, Create key pair from any of the unix system which will generate two keys public and private.
2, Appened the public key to the users ssh authorizedkey file.
3, Keep the private with yor self and pass through along with the ssh connection.
Steps1: Create new User
useradd anand
Step2: Generate the Public/Private key files
ssh-keygen -b 1024 -f anand -t dsa
ls -la anand* -rw-r--r-- 1 root root 1200 Oct 10 09:57 anand.pub -rw-r--r-- 1 root root 1812 Oct 10 09:57 anand.pem
mkdir /home/anand/.ssh cat anand.pub >> /home/anand/.ssh/authorized_keys chmod 600 /home/anand/.ssh/authorized_keys chmod 700 /home/anand/.ssh/ chown -R anand /home/anand/.ssh/
ssh -i anand.pem anand@planetcure.in The authenticity of host 'planetcure.in (54.203.253.9)' can't be established. RSA key fingerprint is 6b:69:6f:86:94:6a:18:1d:ea:dc:0d:1d:af:9d:2f:66. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'planetcure.in' (RSA) to the list of known hosts. anand@planetcure.in's password: [anand@planetcure ~]$
Error: posftix: warning: SASL authentication failure: No worthy mechs found
After configuring postfix relay server I found their was some issue with gmail server authentication, it will bounce the emails
Error : postfix/smtp[25857]: 59BF721177: SASL authentication failed; cannot authenticate to server smtp.gmail.com[74.125.25.108]: no mechanism available postfix/smtp[25861]: warning: SASL authentication failure: No worthy mechs found
Their must be two solid reasons behind this
1, SASL package is missing for plain module
yum install cyrus-sasl{,-plain}
2, Allow plaintext (which is fine when using STARTTLS): make the connection enrypted
smtp_sasl_security_options = noanonymous
Make Sure you enabled all the below options :
smtp_sasl_auth_enable = yes smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_security_level = encrypt smtp_sasl_mechanism_filter = login
HowTo: Authenticated email relay server with Postfix
Setup Postfix as a email relay server which will authenticate with public email server for sending emails. If you want to use a Gmail as a Free SMTP server us, use this as in any of the redhat or ubuntu servers
For Ubuntu
apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules
Replace the ceritficate file in the configuration
cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem
If you do not have postfix installed before, postfix configuration wizard will ask you some questions. Just select your server as Internet Site and for FQDN use something like mail.example.com , For Centos
yum install postfix email mailx cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain
[root@server ~]# vi /etc/postfix/main.cf biff = no append_dot_mydomain = no readme_directory = no myhostname = smtpout.innovautelabs.intra mydomain = innovaturelabs.intra myorigin = $mydomain alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mydestination = localhost.localdomain, , localhost mynetworks = 192.168.1.0/24, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all relayhost = [smtp.gmail.com]:587 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl-passwords smtp_sasl_security_options = noanonymous smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.trust.crt smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_security_level = encrypt smtp_sasl_mechanism_filter = login
Now create a password file which should have a valid email and password; onece hashed the password file postfix can read the data in it after that, you can delete the plaintext passwd file. Alternately, if you’d feel better keeping the file around for whatever reason, you can run chmod 600 passwd and make it only readable by its owner, which should be root
vi /etc/postfix/sasl-passwords [smtp.gmail.com]:587 username@gmail.com:password
chmod 600 /etc/postfix/sasl-passwords
postmap /etc/postfix/sasl-passwords
Finally, reload postfix config for changes to take effect:
service postfix restart
HowTo: Password lesslogin in linux.
Password less logins allow you get get into the server even the password has been changed or expired ,
It can be achieve by single unix command you can use either this or the detailed steps given below. It will prompt password for server2, once it is over the next login will be the password less
[root@srv-51 ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub syncfuser@192.168.1.52
Detailed steps :
1, Generate public key on server-1, ignore this step if it is already exist
[root@srv-51 ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 8f:99:9f:8f:ba:bf:15:ca:6b:1f:83:06:a2:1a:9c:59 root@srv-51 The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | | | E . S . | | . + . . B o . | | = . + * + | | o o.= o | | . o=B+o | +-----------------+
3, Grab the key and add it in the authorized_keys file in server2
[root@srv-51 ~]# cat ~/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAz9iTxsWIYZyLtGN47MQZkSrPqXoGwATAKD/ZqIyemFRvKnlkSllkEEQ7+MlMstz6HvONfTJuJROegELqTIA7PoR43LTTKw7zfqJtt1J4fUH/6mbYlB5bedXtl/7L9auRYr276d04CFUCKfINEG4KJXYlbuSM8Mr5ZiUvLCkiu4Jx77DSy0iWaDa90C6cEbl1vRX9yl1pdWQbAMuazYLfiDPOnbqb7JtcI9du5bNEuFuA26VahaYbaYtXFnKBbKrCUMzTHT2uuNesYpckUHT4f0T1fU9qNsAYBlyQBgMIu/2qdJ+Y8luMVCkydXx8ZJmSTmAp+yR+qaZDYCqujrvjdQ== root@localhost.localdomain
4, Server2 authorized_keys key entry is looks like this
[root@srv-52 ~]# cat /home/syncfuser/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAz9iTxsWIYZyLtGN47MQZkSrPqXoGwATAKD/ZqIyemFRvKnlkSllkEEQ7+MlMstz6HvONfTJuJROegELqTIA7PoR43LTTKw7zfqJtt1J4fUH/6mbYlB5bedXtl/7L9auRYr276d04CFUCKfINEG4KJXYlbuSM8Mr5ZiUvLCkiu4Jx77DSy0iWaDa90C6cEbl1vRX9yl1pdWQbAMuazYLfiDPOnbqb7JtcI9du5bNEuFuA26VahaYbaYtXFnKBbKrCUMzTHT2uuNesYpckUHT4f0T1fU9qNsAYBlyQBgMIu/2qdJ+Y8luMVCkydXx8ZJmSTmAp+yR+qaZDYCqujrvjdQ== root@localhost.localdomain
Finally output will be like this
[root@srv-51 ~]# ssh syncfuser@192.168.1.52 Last login: Wed Jun 25 17:08:25 2014 from 192.168.1.51 [syncfuser@srv-52 ~]$
Now server1 root user can enter password less to the syncfuser on server2. 🙂
HowTo: Increase The Maximum Number Of Open Files / File Descriptors (FD)
Sometimes we will get the error message is like “too many files open“, it is because of you have reached the limits of opened file, You could always try doing a ulimit -n 2048. This will only reset the limit for your current shell and the number you specify must not exceed the hard limit.
Each operating system has a different hard limit setup in a configuration file. For instance, the hard open file limit on Solaris can be set on boot from /etc/system.
[anand@planetcure ~]$ cat /proc/sys/fs/file-max 172214
This show the maxmimum number of opened files for the single user, you can also use the below commad.
# ulimit -Hn # ulimit -Sn
We can set this as System-wide and userlevel, for Global user configuration we can use /etc/sysctl.conf file under Linux operating systems. So you can increase the maximum number of open files by setting a new value in kernel variable /proc/sys/fs/file-max as follows (login as the root):
System-wide File Descriptors (FD) Limits
# sysctl -w fs.file-max=100000
The command allows to extend the new limit as 100000. You need to append the variable “fs.file-max = 100000” in the file /etc/sysctl.conf for the permanent set. It won’t be change after the reboot.
#sysctl -p
Verify by using below command
#sysctl fs.file-max
User-level File Descriptors (FD) Limits
Some of the case we need to specify the different level of setting for the particular users. This will override the sysetm wide settings and give the new limits for the users.
To specific limits by editing /etc/security/limits.conf file, we can all so use this file for all user limits
For apache:
httpd soft nofile 1024 httpd hard nofile 2048
All user limits
* soft nofile 1024 * hard nofile 2048
Save and close the file. You have to re-login to the console to get the new value.
su httpd -c "ulimit -Hn" su httpd -c "ulimit -Sn"
Bash: History appending for multiple sessions
I got a requirement for listing all the command history if multiple terminal sessions using in different region for the single user. I followed the below steps.
step1 : Create a new file with the below entries
root@appserver:# cat /etc/profile.d/bash_history.sh function share_history { history -a history -c history -r } HISTSIZE=99999 HISTCONTROL=ignoredups HISTTIMEFORMAT=`echo -e "33[1;34m%d/%h/%Y 33[1;31m%H:%M:%S 33[0m"` PROMPT_COMMAND='share_history' shopt -u histappend
Step2: activate it in run-time
root@appserver:# source /etc/profile.d/bash_history.sh
Now you can see the list of aged histories
Sample Output :
1005 26/Dec/2013 14:23:08 vi /etc/profile.d/bash_history.sh 1006 26/Dec/2013 14:23:27 source /etc/profile.d/bash_history.sh 1007 26/Dec/2013 14:23:31 history
Howto: mounting remote folder using ssh with fstab
Mostly I suggest nfs for network share and it is easy to share over network, also for windows I use samba services, Here I found the suitable solution for remote share mount with out setup any server file share services. We can directly mount folders using SSH , so fuse is working behind this.
For this kind of setup you need to install few packages listed below
fuse-2.7.4-8.el5.i386.rpm fuse-libs-2.7.4-8.el5.i386.rpm fuse-sshfs-2.4-1.el5.i386.rpm
Direct download package repositories,
ftp://195.220.108.108/linux/centos/5.10/os/i386/CentOS/
Installation steps :
cd /home/downloads wget ftp://195.220.108.108/linux/centos/5.10/os/i386/CentOS/fuse-libs-2.7.4-8.el5.i386.rpm wget ftp://195.220.108.108/linux/epel/5/i386/fuse-sshfs-2.4-1.el5.i386.rpm wget ftp://195.220.108.108/linux/centos/5.10/os/i386/CentOS/fuse-2.7.4-8.el5.i386.rpm rpm -ivh fuse*.rpm
Password-less authentication
ssh-copyid -i ~/.ssh/id_rsa.pub anand@192.168.1.6
Mounting fstab entries like this
vi /etc/fstab sshfs#anand@192.168.1.6:/backup/ISO-files /mnt/ISO fuse delay_connect,idmap=user,uid=1000,gid=1000,umask=0,allow_other,_netdev,workaround=rename 0 0
Save the fstab an make it auto moutn
mount -a
Now execute “mount” command, so you can see the entries like this.
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) root@192.168.1.6:/backup/ISO-files on /mnt/ISO type fuse.sshfs (rw,nosuid,nodev,allow_other)
Enjoy the share.
Howto: Install Ruby on Rails with Cpanel
Installing Ruby on Rails on cPanel
Start the installation steps with root privileged or sudo user or you have to submit a tickte to your hosting provider for enabling Ruby on rails in you hosting account.
For detailed information about RubyGems: commands and system, read their User Guide Manuals at: www.rubygems.org/
– To install Ruby on Rails:
SSH to the server and run this command:
- /scripts/installruby
If LIBSAFE is installed on your server, you need to add the directive /usr/bin/ruby to the exception list to prevent buffer overflow errors. SSH to the server and run this command:
- echo “/usr/bin/ruby” >> /etc/libsafe.exclude
The local path to the binary package is:
/usr/bin/gem
To check on the current version installed on your server:
- /usr/bin/gem -v
To list all installed gems:
- /usr/bin/gem -l
– To uninstall Ruby on Rails:
- List all the gems installed on your server and remove them all using the following command:
- /usr/bin/gem uninstall NAME_OF_GEM
The cPanel/WHM, by default, installs the following Gems:
rails, mongrel, fastthread, actionmailer, actionpack, activerecord, activeresource, activesupport, cgi_multipart_eof_fix, daemons, gem_plugin, rake. For example, to uninstall the Gem: rails, we’ll run this command:- /usr/bin/gem uninstall rails
Sample output:
Successfully uninstalled rails version 0.1.6 - Remove Gem directories and the binary package using the following commands (in that order):
- /bin/rm -rf /usr/lib/ruby
- /bin/rm -rf /home/cprubygemsbuild
- /bin/rm -fv /root/.gem
- /bin/rm -fv /usr/bin/gem
- Remove all ruby directories added to a client’s root directory. The local path is: /home/USER/ruby/
- Restart the cPanel (un-necessary but do it any way)
- /sbin/service cpanel restart
Error: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Each time while am installing VSFTPD on ubuntu and enable chroot for the users it will refuse to login to the home directory because of write permission in its parent dir, to fix this I used the command
chmod a-w /path/to/the/ftp/home
but is was most annoying and frustrating problem. I supposed to update the vsftpd package with security fix. the steps are below.
wget http://ftp.us.debian.org/debian/pool/main/v/vsftpd/vsftpd_3.0.2-3_amd64.deb dpkg -i vsftpd_3.0.2-3_amd64.deb echo "allow_writeable_chroot=YES" >> /etc/vsftpd.conf echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf service vsftpd reload
now the FTP service will work calm in my server.