SSH

Howto: Allowing SFTP access while chrooting the user and denying shell access.

Posted on Updated on

Usually SFTP will allow a system user to access their home directory to upload and download files with their account. The SFTP user can navigate anywhere in the server some times can download files it will produce security vulnerability.

The Chroot for SFTP will be denied to access the rest of the system as they will be chrooted to the user home directory. Thus users will not be able to snoop around the system to /etc or application directories. User login to a shell account will also be denied.

I the below procedures will allowed me to enable SFTP security,

1, Add a new group

2, Create a Chroot dir for launch the logins, which should owned by root

3, Modify sftp-internal for forcing chroot dir

4, reload the configuration

Steps :

Create Chroot launch directory with other have no previlege

mkdir /opt/chroot
chown root:root /opt/chroot
chmod 700 /opt/chroot

Create a common group for the chrooted users , SSH rule will work for the group

groupadd sftpgroup
useradd -g sftpgroup -s /sbin/nologin  -d /opt/chroot/planetuser planetuser
passwd planetuser

Modify ssh configuration

vi /etc/ssh/sshd_config

Comment the general sftp subsubsystem and add new rule

#Subsystem sftp /usr/lib/openssh/sftp-server

#Add the line 
Subsystem sftp internal-sftp

# Rules for sftp group
Match group sftpgroup
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Then restart SSH service

service sshd restart
Advertisements

Error: posftix: warning: SASL authentication failure: No worthy mechs found

Posted on Updated on

After configuring postfix relay server I found their was some issue with gmail server authentication, it will bounce the emails

Error : 
 postfix/smtp[25857]: 59BF721177: SASL authentication failed; cannot authenticate to server smtp.gmail.com[74.125.25.108]: no mechanism available
 postfix/smtp[25861]: warning: SASL authentication failure: No worthy mechs found

Their must be two solid reasons behind this
1, SASL package is missing for plain module

yum install cyrus-sasl{,-plain}

2, Allow plaintext (which is fine when using STARTTLS): make the connection enrypted

smtp_sasl_security_options = noanonymous

Make Sure you enabled all the below options :

smtp_sasl_auth_enable = yes
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
smtp_sasl_mechanism_filter = login

 

HowTo: Authenticated email relay server with Postfix

Posted on Updated on

Setup Postfix as a email relay server which will authenticate with public email server for sending emails. If you want to use a Gmail as a Free SMTP server us, use this as in any of the redhat or ubuntu servers
For Ubuntu

apt-get install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules

Replace the ceritficate file in the configuration

cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem

If you do not have postfix installed before, postfix configuration wizard will ask you some questions. Just select your server as Internet Site and for FQDN use something like mail.example.com , For Centos

yum install postfix email mailx cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain
[root@server ~]# vi /etc/postfix/main.cf
biff = no
append_dot_mydomain = no
readme_directory = no
myhostname = smtpout.innovautelabs.intra
mydomain = innovaturelabs.intra
myorigin = $mydomain
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost.localdomain, , localhost
mynetworks = 192.168.1.0/24, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl-passwords
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.trust.crt 
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
smtp_sasl_mechanism_filter = login

Now create a password file which should have a valid email and password; onece hashed the password file postfix can read the data in it after that, you can delete the plaintext passwd file. Alternately, if you’d feel better keeping the file around for whatever reason, you can run chmod 600 passwd and make it only readable by its owner, which should be root

vi /etc/postfix/sasl-passwords
[smtp.gmail.com]:587 username@gmail.com:password
chmod 600 /etc/postfix/sasl-passwords
postmap /etc/postfix/sasl-passwords

Finally, reload postfix config for changes to take effect:

service postfix restart

HowTo: Password lesslogin in linux.

Posted on Updated on

Password less logins allow you get get into the server even the password has been changed or expired ,

It can be achieve by single unix command you can use either this or the detailed steps given below. It will prompt password for server2,  once it is over the next login will be the password less

 [root@srv-51 ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub  syncfuser@192.168.1.52

Detailed steps :

1, Generate public key on server-1, ignore this step if it is already exist

 [root@srv-51 ~]$ ssh-keygen
 Generating public/private rsa key pair.
 Enter file in which to save the key (/root/.ssh/id_rsa):
 Created directory '/root/.ssh'.
 Enter passphrase (empty for no passphrase):
 Enter same passphrase again:
 Your identification has been saved in /root/.ssh/id_rsa.
 Your public key has been saved in /root/.ssh/id_rsa.pub.
 The key fingerprint is:
 8f:99:9f:8f:ba:bf:15:ca:6b:1f:83:06:a2:1a:9c:59 root@srv-51
 The key's randomart image is:
 +--[ RSA 2048]----+
 | |
 | |
 | |
 | |
 | E . S . |
 | . + . . B o . |
 | = . + * + |
 | o o.= o |
 | . o=B+o |
 +-----------------+

3, Grab the key and add it in the authorized_keys file in server2

[root@srv-51 ~]# cat ~/.ssh/id_rsa.pub
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAz9iTxsWIYZyLtGN47MQZkSrPqXoGwATAKD/ZqIyemFRvKnlkSllkEEQ7+MlMstz6HvONfTJuJROegELqTIA7PoR43LTTKw7zfqJtt1J4fUH/6mbYlB5bedXtl/7L9auRYr276d04CFUCKfINEG4KJXYlbuSM8Mr5ZiUvLCkiu4Jx77DSy0iWaDa90C6cEbl1vRX9yl1pdWQbAMuazYLfiDPOnbqb7JtcI9du5bNEuFuA26VahaYbaYtXFnKBbKrCUMzTHT2uuNesYpckUHT4f0T1fU9qNsAYBlyQBgMIu/2qdJ+Y8luMVCkydXx8ZJmSTmAp+yR+qaZDYCqujrvjdQ== root@localhost.localdomain

4, Server2 authorized_keys key entry is looks like this

[root@srv-52 ~]# cat /home/syncfuser/.ssh/authorized_keys
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAz9iTxsWIYZyLtGN47MQZkSrPqXoGwATAKD/ZqIyemFRvKnlkSllkEEQ7+MlMstz6HvONfTJuJROegELqTIA7PoR43LTTKw7zfqJtt1J4fUH/6mbYlB5bedXtl/7L9auRYr276d04CFUCKfINEG4KJXYlbuSM8Mr5ZiUvLCkiu4Jx77DSy0iWaDa90C6cEbl1vRX9yl1pdWQbAMuazYLfiDPOnbqb7JtcI9du5bNEuFuA26VahaYbaYtXFnKBbKrCUMzTHT2uuNesYpckUHT4f0T1fU9qNsAYBlyQBgMIu/2qdJ+Y8luMVCkydXx8ZJmSTmAp+yR+qaZDYCqujrvjdQ== root@localhost.localdomain

Finally output will be like this

 [root@srv-51 ~]# ssh syncfuser@192.168.1.52
 Last login: Wed Jun 25 17:08:25 2014 from 192.168.1.51
 [syncfuser@srv-52 ~]$

Now server1 root user can enter password less to the syncfuser on server2. 🙂

HowTo: Tomcat Logging – log customized with {X-Forwarded-For}

Posted on Updated on

Tomcat is allowing us to track back logs with enamours of information by customizing the log pattern. There is preset patten is available, we can also implement is in single line

I enabled few more information like execution time , request size , cookies etc..

Default tag should be like this

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"  
               prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/>

Common : %{X-Forwarded-For}i %l %u %t “%r” %s %b
Combined : %{X-Forwarded-For}i %l %u %t %r %s %b %{User-Agent}i %{Referer}i %{Cookie}i

You can change either Common or Combined

I have implemented my own pattern like below, so it should more detailed

pattern="%h %{X-Forwarded-For}i %l %u %t  &quot;%r&quot; %s %b  &quot;%{User-Agent}i&quot; &quot;%{Referer}i&quot; &quot;%{Cookie}i&quot; %T"

Access Log pattern new look

-----------------------------
192.168.1.185 - - - [18/Mar/2014:10:52:06 +0530]  "GET /ajax/norm/list/status?ids=23%2C11%2C9%2C7%2C6%2C5%2C2%2C1%2C HTTP/1.1" 200 42  "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0" "http://192.168.1.188/norm/list" "JSESSIONID=4FD1DBEB911CD2E19AA4798F9A26DCA8" 0.007
-----------------------------
Log Details : 192.168.1.185 : Remote host name (or IP address if resolveHosts is false)
– : X-Forwarded-For – : Remote logical username
– : Remote user that was authenticated
[18/Mar/2014:10:52:06 +0530]  : Date and time, in Common Log Format
GET /ajax/norm/list/…… : First line of the request (method and request URI)
HTTP/1.1 : Request protocol
200 : HTTP status code of the response
42 : Bytes sent, excluding HTTP headers (Content size)
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0: User Agent
http://192.168.1.188/norm/list : Referer
JSESSIONID=4FD1DBEB911CD2E19AA4798F9A26DCA8 : Cookie header
0.007 : Time taken to process the request, in seconds

Once every thing has been done you can restart the tomcat to make it effect, more options are given below

%a – Remote IP address
%A – Local IP address
%b – Bytes sent, excluding HTTP headers, or ‘-‘ if zero
%B – Bytes sent, excluding HTTP headers
%h – Remote host name (or IP address if resolveHosts is false)
%H – Request protocol
%l – Remote logical username from identd (always returns ‘-‘)
%m – Request method (GET, POST, etc.)
%p – Local port on which this request was received
%q – Query string (prepended with a ‘?’ if it exists)
%r – First line of the request (method and request URI)
%s – HTTP status code of the response
%S – User session ID
%t – Date and time, in Common Log Format
%u – Remote user that was authenticated (if any), else ‘-‘
%U – Requested URL path
%v – Local server name
%D – Time taken to process the request, in millis
%T – Time taken to process the request, in seconds
%I – current request thread name (can compare later with stacktraces)
%f – X-Forwarded-For IP address
%F – X-Forwarded-For address

HowTo: Change Instance store AMI to EBS-backend AMI

Posted on Updated on

Amazon not providing any feature for changing AMI root device type, once we generate an instance with Instance-store  we can’t upgrade the instance because for upgrading instance should stop. The stop option is disable for such instance-store AMI’s. I followed the steps below, It can be workout by two ways either using rsync or dd

Here is the steps:

  • Create an EBS vol with size as same or more, I used 10G because my existing instance having 10G on root.

EBS_fresh

After creating which is look like this

EBS_new

  • Attach the EBSLogin to existing Instance-store backend AMI,

Right- click and select Attach Volume,

EBS_attach

  • Login to the Instance-store backend  server, and stop all the running services (Optional), (eg., mysqld , httpd , xinted )

Execute the the disk mirroring commands below, it will take few min to complete according to the server perfomance.

[root@ip-10-128-5-222 ~]# dd bs=65536 if=/dev/sda1 of=/dev/sdf

or

mkfs.ext3 /dev/sdf                              #create filesystem
mkdir /mnt/ebs                                  #New dir for mounting 
mount /dev/sdh /mnt/ebs                         #Mount as a partition
rsync -avHx / /mnt/ebs                          #Synchronizing root and ebs  
rsync -avHx /dev /mnt/ebs                       #Synchronizing device informations  
tune2fs -L '/' /dev/sdf                         #Creating partition label for ebs  
sync;sync;sync;sync && umount /mnt/ebs          #Sync and umounting ebs 

Check the EBS volume for consistency

[root@ip-10-128-5-222 ~]# fsck /dev/sdf
 fsck 1.39 (29-May-2006)
 e2fsck 1.39 (29-May-2006)
 /dev/sdf: clean, 126372/1310720 files, 721346/2621440 blocks

Mount the EBS volume into the instance, Remove the /mnt entry from the fstab on your EBS vol

[root@ip-10-128-5-222 ~]# mount /dev/sdf /mnt/ebs-vol
[root@ip-10-128-5-222 ~]# vim /root/ebs-vol/etc/fstab
  • Create a snapshot of the EBS volume using the AWS management console

Right-Click the EBS_vol –> select Create Snapshot , it will take few min to create

EBS_snapshot

After creating snapshot it will list under snapshot list.

EBS_snapshotpng

Now Right-click snapshot  –> select Create Image from snapshot

EBS_create_image

  • Launch new EC2 using newly create AMI, so while creating new EC2 you can select any instance type also you may use the same keypair and Elastic IP for the new instance

Creating New instance using new AMI.

NEW_EC2

Running instance

EC2_newpng

  • Now you can login to the new server, If you select more than the size of snapshot you have to use the below command to retain the storage back
#resize2fs /dev/sda1
  •  Successfully migrated the server as EBS-backend. Start all the services if it is necessary, This time we can upgrade the instance type

HowTo: S3 bucket dynamic URI access

Posted on Updated on

s3cmd is a command line tool for uploading, retrieving and managing data in Amazon S3. Still their are no wiki is updated.
you may get the packages from sourceforge official

Also the download repository is available here : Download Now

It will also support including unix dynamic resource access method, for example we can use * for calling all the resources or {dir1,file2} for specific resource.

I was shown in the example for setting up public acl for dynamic sub directories.

Installation:

root@planetcure:wget http://kaz.dl.sourceforge.net/project/s3tools/s3cmd/1.0.1/s3cmd-1.0.1.tar.gz
root@planetcure:tar -zxvf s3cmd-1.0.1.tar.gz
root@planetcure:export  PATH=$PATH:/opt/installer/s3cmd-1.0.1

Now we can access the binary from any of the location.

root@planetcure:/opt/installer/s3cmd-1.0.1# s3cmd setacl --acl-public s3://my-bucket-name/{dev,stg1,stg2}/*/dir5/*/3/*

This command will execute the following scenarios

s3://my-bucket-name/  is my S3 bucket

* will represent all the subdirectories

{dev,stg1,stg2} will represent the specific directories from the group of directories

dir5/ ,3/ will represent specific sub-directory

Enjoy the day, 🙂