Posts Tagged ‘How to’

Configuring vsftpd in Ubuntu : Example #1

August 2, 2010

vsftpd is one Linux package to create an FTP server. Through this article, I try to give a simple example in configuring vsftpd in Ubuntu. FTP server that will be built this using a real username of Linux system and not encrypted.

Please follow the steps below.

  1. Information schema.
       [eth1]                            [eth0]
         ||                                ||
     [Internet]--------[vsftpd]--------[Intranet]
                          ||
                    [tcp_wrappers]
  2. Installing vsftpd for the first time.

    ~# apt-get install vsftpd

  3. Make sure the configuration files in “/etc/vsftpd.conf”, at least as the following lines.

    listen=YES
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022
    dirmessage_enable=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    xferlog_file=/var/log/vsftpd.log
    xferlog_std_format=YES
    idle_session_timeout=600
    data_connection_timeout=120
    ftpd_banner=BLAH-FTP
    chroot_local_user=YES
    secure_chroot_dir=/var/run/vsftpd
    pam_service_name=vsftpd
    local_root=/home
    hide_ids=YES
    syslog_enable=YES
    max_clients=20
    max_per_ip=5
    pasv_min_port=5000
    pasv_max_port=5999
    tcp_wrappers=YES
    # Optional
    # deny_file={*.iso,*.lnk,*.3gp,*.3gpp}
    # cmds_allowed=PASV,RETR,QUIT

  4. Add the following rules in IPTables.

    ~# iptables -A INPUT -j ACCEPT -p tcp –dport 20:21 -m state –state NEW,RELATED,ESTABLISHED
    ~# iptables -A OUTPUT -j ACCEPT -p tcp

  5. Prevent the user cannot login into the Linux shell.

    ~# echo “/usr/sbin/nologin” >> /etc/shells

    To add users or change the Linux shell of an existing user can be done in the following way.

    ~# useradd -g ftp -s /usr/sbin/nologin -m johnson
    ~# / -OR- /
    ~# chsh -s /usr/sbin/nologin johndoe

  6. Prevent certain users to use FTP server.

    ~# echo “sysadmin” >> /etc/ftpusers

  7. Here is a simple step to securing your FTP server using “tcp_wrappers”.

    7.1. Make sure the file “/etc/hosts.deny” contains only the following.

    ALL: ALL

    7.2. Create file “/etc/hosts.sandbox” to accommodate the IP or network address will be blocked.

    ~# echo “224.” >> /etc/hosts.sandbox
    ~# echo “240.” >> /etc/hosts.sandbox
    ~# echo “248.” >> /etc/hosts.sandbox

    7.3. Add the following line into the file “/ etc / hosts.allow”.

    vsftpd: ALL EXCEPT /etc/hosts.sandbox

  8. To test whether the “tcp_wrapper” is already well underway, you can add an IP workstation to the file “/etc/hosts.sandbox”.

    If using the shell command “tcpdchk -v” to check the configuration “tcp_wrappers”, then appears an error message “no such process name in /etc/inetd.conf”.

    Please add the following line into the file “/ etc / inetd.conf”.

    ~# echo “ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/vsftpd” >> /etc/inetd.conf

    This is not absolute, because without adding the following line, the function “tcp_wrappers” You keep running well.

    Information about file “/ etc / inetd.conf” which was removed by Ubuntu, can you read here.

  9. Finish.

Again, this is a simple example, and you can customize to your own tastes.

Advertisements

Configuring Polipo & HAVP + ClamAV in Ubuntu

April 27, 2010

Polipo very effectively implemented as a web-proxy in a small network (SOHO). The ease, simplicity and speed can be used as an option to replace Squid as a web-proxy. Even so, remain necessary virus-scanner that can act proactively to prevent the entry of the virus while surfing on the internet. In this article, I only gave examples of how to configure Polipo as a web-proxy which is equipped with a collaboration between HAVP & ClamAV as a virus-scanner.

Please follow the steps on the following line.

  1. Information Schema.
                   192.168.0.253:8123
                          ||                      [eth1]
                          ||                        ||
     [Intranet]--------[Polipo]-+-[HAVP]--------[Internet]
         ||                         ||
       [eth0]                   Parent Proxy
    192.168.0.0/24             127.0.0.1:8080
                                    ||
                                    ||
                                 [ClamAV]
  2. Installing Polipo for the first time.

    ~# apt-get install polipo

  3. Installing HAVP, ClamAV and ClamAV update virus databases for the first time.

    ~# apt-get install havp clamav
    ~# freshclam

  4. Make sure the configuration files in “/etc/polipo/config”, at least as the following lines.

    daemonise = true
    proxyAddress = “192.168.0.253”
    allowedClients = 127.0.0.1, 192.168.0.0/24
    proxyName = “kokikode.wordpress.com”
    parentProxy = 127.0.0.1:8080 # HAVP as parent proxy.
    forbiddenFile = /etc/polipo/forbidden # Commonly used to block the ad.
    chunkHighMark = 819200 # If you’ve got plenty of memory, set value is 50331648.
    objectHighMark = 128 # If you’ve got plenty of memory, set value is 16384.
    diskCacheFilePermissions = 0600
    diskCacheDirectoryPermissions = 0700
    diskCacheRoot = /cache1/polipo
    disableLocalInterface = true
    localDocumentRoot = “”
    dnsQueryIPv6 = no
    dnsUseGethostbyname = reluctantly
    censoredHeaders = from, accept-language
    censorReferer = maybe
    dontCacheRedirects = false
    allowedPorts = 1-65535
    tunnelAllowedPorts = 1-65535

  5. Make sure the configuration files in “/etc/havp/havp.config”, at least as the following lines.

    USER havp
    GROUP havp
    DAEMON true
    PIDFILE /var/run/havp/havp.pid
    SERVERNUMBER 20
    MAXSERVERS 100
    ACCESSLOG /var/log/havp/access.log
    ERRORLOG /var/log/havp/havp.log
    USESYSLOG false
    SYSLOGNAME havp
    SYSLOGFACILITY daemon
    SYSLOGLEVEL info
    LOG_OKS true
    LOGLEVEL 1
    SCANTEMPFILE /var/spool/havp/havp-XXXXXX
    TEMPDIR /var/tmp
    DBRELOAD 60
    TRANSPARENT false
    FORWARDED_IP true
    PORT 8080
    BIND_ADDRESS 127.0.0.1
    TEMPLATEPATH /etc/havp/templates/en
    ENABLECLAMLIB true
    CLAMDBDIR /var/lib/clamav
    ENABLECLAMD false
    ENABLEFPROT false
    ENABLEAVG false
    ENABLEAVESERVER false
    ENABLESOPHIE false
    ENABLETROPHIE false
    ENABLENOD32 false
    ENABLEAVAST false
    ENABLEARCAVIR false
    ENABLEDRWEB false

  6. Make sure the rules in the IPTables in this case, at least as the following lines.

    ~# iptables -A INPUT -j ACCEPT -p tcp -i eth0 -s 192.168.0.0/24 –-dport 8123

    *) Polipo default port on 8123.

  7. Restart Polipo and HAVP service.

    ~# /etc/init.d/polipo force-reload
    ~# /etc/init.d/havp force-reload

  8. Please configure your internet browser manually, because Polipo non-transparent proxy.

    HTTP Proxy: 192.168.0.253 – Port: 8123
    HTTPS/SSL Proxy: 192.168.0.253 – Port: 8123

  9. Finish.

Sample configuration above, please be adapted and improvised to suit your needs. In this article, I use Ubuntu Server 8.04 LTS, Polipo 1.0.4, HAVP 0.89, and ClamAV 0.95.3.

How to install PHP-FPDF in Ubuntu

March 28, 2010

What is FPDF?

In this article, Apache2 and PHP5 assumed has been installed and running well.

The following lines are the installation steps.

  1. Please login as “root” or equivalent for installing.

    ~# apt-get install php-fpdf

  2. If the installation is successful, there will be a file “fpdf.php” in the following folder.

    ~# ls -l /usr/share/php/fpdf

  3. Please create a symbolic link is directed at each site are available on your web server with the following way.

    e.g.

    ~# ln -s /usr/share/php/fpdf /var/www/fpdf

  4. Reload your web server.

    ~# /etc/init.d/apache2 force-reload

  5. Make sure the PHP commands on the web page associated with the conversion to PDF function like this.
    <?php
    require('fpdf/fpdf.php');
    ?>
    
  6. Finish.

Moving the MySQL database directory in Ubuntu

December 16, 2009

Installing MySQL on Ubuntu by default, all data is placed in the directory “/var/lib/mysql“. If you want to move the default directory for any reason, please follow the steps below.

  1. Stop MySQL service.

    ~# sudo /etc/init.d/mysql stop

  2. Copy all existing data into the desired directory and its permissions and attributes.

    ~# sudo cp -p -R /var/lib/mysql /mnt/raid10

  3. Edit the mysql configuration file located in “/etc/mysql/my.cnf“. Find the section [mysqld] and change the contents of variable “datadir = /var/lib/mysql” (default) in accordance with the location of the directory where all data is placed.

    ~# cat /etc/mysql/my.cnf

    [mysqld]
    datadir = /mnt/raid10/mysql

  4. If your Ubuntu server installed “apparmor“, please edit the configuration file in “/etc/apparmor.d/usr.sbin.mysqld” too. Then, find the procedure “/usr/sbin/mysqld“.

    ~# cat /etc/apparmor.d/usr.sbin.mysqld

    /usr/sbin/mysql {

    ..
    ..

    # Find and give commented on the section below.
    # /var/lib/mysql/ r,
    # /var/lib/mysql/** rwk,

    # … then, add the configuration as below.
    /mnt/raid10/mysql/ r,
    /mnt/raid10/mysql/** rwk,

    ..
    ..

    }

  5. Do not forget to save all changes to the configuration files mentioned above and reboot.

In this article, I apply the RAID10 as a storage mode on the MySQL server machine, and MyISAM as database type.

Essential SSH configuration

December 14, 2009

I tried to summarize everything that is considered essential in configuring the SSH service. This is not something new, especially, expert security system. But for those who do not know or beginner, this article may help you. SSH configuration file by default on most linux distributions are in “/etc/ssh/sshd_config“. The following is a sample configuration that should be essential to secure your SSH service.

~# cat /etc/ssh/sshd_config

# Determine the SSH port is used, if necessary, please changed according to your taste to deceive.
Port 22

# Since SSH protocol version 1 is not as secure you may want to limit the protocol to version 2 only.
Protocol 2

# Try to assign IP addresses on the network card that will be used. Although this seems stupid but there’s no harm done to strengthen the rules on our firewall later.
ListenAddress 192.168.0.1 # Local Interface
ListenAddress 203.154.30.212 # Internet Interface

# It’s prudent to disable direct root logins at the SSH level as well.
PermitRootLogin no

# You may also want to prevent SSH from setting up TCP port and X11 forwarding if you don’t need it.
AllowTcpForwarding no
X11Forwarding no

# Ensure to have privilege separation enabled where the daemon is split into two parts. With privilege separation a small part of the code runs as root and the rest of the code runs in a chroot jail environment.
UsePrivilegeSeparation yes

# Ensure the StrictModes directive is enabled which checks file permissions and ownerships of some important files in the user’s home directory like ~/.ssh, ~/.ssh/authorized_keys etc. If any checks fail, the user won’t be able to login.
StrictModes yes

# Ensure that all host-based authentications are disabled. These methods should be avoided as primary authentication.
IgnoreRhosts yes
HostbasedAuthentication no
RhostsRSAAuthentication no

# Disable sftp if it’s not needed.
# Subsystem sftp /usr/lib/misc/sftp-server

# This is an additional rule if necessary.
RSAAuthentication no
AuthorizedKeysFile .ssh/authorized_keys # Needed, if you applying “Public Key” & “Private Key” on SSH system.
PasswordAuthentication no
PermitEmptyPasswords no
Login GraceTime 300
ClientAliveInterval 60
ClientAliveCountMax 5
MaxStartups 5

# End of file.