January 9th, 2008 admin
DISCLAIMER:
You are following these suggestions at your own risk. We do not claim them to be correct, complete or working for you. We will not support the instructions. We will not be bound by any liabilities neither direct nor implied. YOU ARE ACTING AT YOUR OWN RISK. If you are not sure of what you are doing we suggest you contact an expert. Otherwise we are happy to be of service and your comments are appreciated: support@blue.net.au
- Shutdown all programs (servers) that would write to or read from the directory to be moved. The example I am using is: move /var/log to a new location (/aux —->>> see also how to add a new harddisk). So shutdown syslog and squid and httpd with:
/etc/r*/*/squid stop
/etc/r*/*/httpd stop
/etc/r*/*/syslog stop
(there might be others. Please check and don’t forget your users, if you move /home or /usr)
- Type:
mv /var/log /aux/var/log
- Create a link from the old to the new location:
ln -s /aux/var/log /var/log
- Start the servers you shut down
/etc/r*/*/squid start
/etc/r*/*/httpd start
/etc/r*/*/syslog start
- Done. All should now work as before. Examine your disk space with:
df -h.
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on How to move directories
January 9th, 2008 admin
normally upon booting you would end up with the grub command prompt
grub>
type the following to boot your machine:
root (hd0,0)
# adjust this to suit your machine eg. (sd0,0) for SCSI disk
kernel /vmlinuz-2.6.9-1.724_FC3 ro root=LABEL=/
# if you don’t know what your kernel is called use the TAB key
initrd /initrd-2.6.9-1.724_FC3.img
# if you don’t know what your initrd is called use the TAB key
boot
That should make your machine boot and you can the re-run:
grub-install /dev/hda
# obviously adjust accordingly to your boot device (/dev/sda for SCSI drive)
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on Boot server when grub-install did not work
January 9th, 2008 admin
Check modem & port (usually ttyS1) with minicom (you may have to set up minicom first with minicom -s)
ttyS0 = COM1, ttyS1 = COM2…
Install mgetty if not already installed -> check with rpm -q mgetty
edit /etc/inittab to reflect respawning of modem (add line similar to):
S1:23456:respawn:/sbin/mgetty ttyS1 -m ‘”” ATW0&F0&V0S0=0E1Q0V1&C1&S0M0 OK’ -s 115200 -n 1 -D on
or simply
S1:23456:respawn:/sbin/mgetty ttyS1 -s 115200 -n 1 -D on
Note: ATW0….. are command passed to the modem at respawn. Check if correct for your modem.
edit login.config:
vi /etc/mgetty+sendfax/login.config
add following line
/AutoPPP/ – ppp /usr/sbin/pppd auth -chap +pap login
add the following line to /etc/ppp/pap-secrets:
* * “” *
Create /etc/ppp/options.ttyS1 similar to:
192.168.100.3:192.168.80.9
# authentication can either be pap or chap. As most people only want to
# use pap, you can also disable chap:
require-pap
refuse-chap
# Specify which DNS Servers the incoming Win95 or WinNT Connection should use
# Two Servers can be remotely configured
ms-dns 192.168.100.4
ms-dns 192.168.100.1
# Netbios
ms-wins 192.168.100.11
ms-wins 192.168.100.7
# Require the peer to authenticate itself before allowing network
# packets to be sent or received.
# Please do not disable this setting. It is expected to be standard in
# future releases of pppd. Use the call option (see manpage) to disable
# authentication for specific peers.
#auth
# Use hardware flow control (i.e. RTS/CTS) to control the flow of data
# on the serial port.
crtscts
# Specifies that pppd should use a UUCP-style lock on the serial device
# to ensure exclusive access to the device.
lock
# Use the modem control lines.
modem
# Use the system password database for authenticating the peer using
# PAP. Note: mgetty already provides this option. If this is specified
# then dialin from users using a script under Linux to fire up ppp wont work.
login
# Specifies that pppd should disconnect if the link is idle for n seconds.
#idle 1800
# Disable the IPXCP and IPX protocols.
noipx
# —<End of File>—
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on Howto set up up a Linux Dial-in server
January 9th, 2008 admin
To use these scripts you must:
- 1. Edit ppp-on to enter your Username and Password.
- 2. Copy ppp-on into /usr/sbin
- 3. Copy ppp-on-dialer into /etc/ppp. It replaces another script by the same name.
- 4. Copy resolv.conf into /etc
- 5. To connect type ppp-on in an xterm if you wish to run Netscape or Arena. You can run Lynx from the console if you prefer a browser without graphics.
- 6. If you are running Netscape in an X Window, start it after you have connected with ppp-on.
- 7. Don’t forget to run ppp-off to end a session.
ppp-on : #!/bin/sh # # The first of two Scripts to initiate a ppp connection to ComCen. # This is not a secure pair of scripts as the codes # are visible with the 'ps' command. However, it is simple. # # These are the parameters. Insert your Username and Password. TELEPHONE=99040600 # The telephone number for the connection ACCOUNT=george_b # The account name for logon (eg: george_b) PASSWORD=mwab43m6 # The password for this account (eg: mwab43m6) LOCAL_IP=0.0.0.0 # Don't change unless you have a static IP REMOTE_IP=0.0.0.0 # Don't Change NETMASK=255.255.255.0 # The proper netmask if needed # # Export them so that they will be available at 'ppp-on-dialer' time. export TELEPHONE ACCOUNT PASSWORD # # This is the location of the script which dials the phone and logs # in. Please use the absolute file name as the $PATH variable is not # used on the connect option. (To do so on a 'root' account would be # a security hole so don't ask.) # DIALER_SCRIPT=/etc/ppp/ppp-on-dialer # # Initiate the connection # # I put most of the common options on this command. Please, don't # forget the 'lock' option or some programs such as mgetty will not # work. The asyncmap and escape will permit the PPP link to work with # a telnet or rlogin connection. You are welcome to make any changes # as desired. Don't use the 'defaultroute' option if you currently # have a default route to an ethernet gateway. # exec /usr/sbin/pppd debug lock modem crtscts /dev/ttyS1 115200 \ asyncmap 20A0000 escape FF kdebug 0 $LOCAL_IP:$REMOTE_IP \ noipdefault netmask $NETMASK defaultroute connect $DIALER_SCRIPT
ppp-on-dialer: #!/bin/sh # You do not need to edit this script. # This is part 2 of the ppp-on script. It will perform the connection # protocol for the desired connection. # exec chat -v \ TIMEOUT 3 \ ABORT '\nBUSY\r' \ ABORT '\nNO ANSWER\r' \ ABORT '\nRINGING\r\n\r\nRINGING\r' \ '' \rAT \ 'OK-+++\c-OK' ATH0 \ TIMEOUT 90 \ OK ATDT$TELEPHONE \ CONNECT '' \ sername:--sername: $ACCOUNT \ assword: $PASSWORD \
ppp-off : #!/bin/sh ###################################################################### # # Determine the device to be terminated. # if [ "$1" = "" ]; then DEVICE=ppp0 else DEVICE=$1 fi ###################################################################### # # If the ppp0 pid file is present then the program is running. Stop it. if [ -r /var/run/$DEVICE.pid ]; then kill -INT `cat /var/run/$DEVICE.pid` # # If the kill did not work then there is no process running for this # pid. It may also mean that the lock file will be left. You may wish # to delete the lock file at the same time. if [ ! "$?" = "0" ]; then rm -f /var/run/$DEVICE.pid echo "ERROR: Removed stale pid file" exit 1 fi # # Success. Let pppd clean up its own junk. echo "PPP link to $DEVICE terminated." exit 0 fi # # The ppp process is not running for ppp0 echo "ERROR: PPP link is not active on $DEVICE" exit 1
resolv.conf: search blue.net.au nameserver 192.168.100.1 nameserver 192.168.100.2
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on Linux Dialup Connection
January 9th, 2008 admin
Configuration & Syntax
Document conventions
eth0 – name of your external interface (connected to the world)
eth1 – name of your internal interface (connected to the LAN)”
ip_address_of_eth0 – numeric dotted quad IP address of your eth0 in the form of x.x.x.x
ip_address_of_eth1 – numeric dotted quad IP address of your eth1 in the form of x.x.x.x
Tables, chains, and rules
Catholic jokes aside, when you construct firewall rules using Iptables, it’s important to understand the distinction between tables, chains and rules.
A table provides a certain functionality. The default tables are filter, nat, and mangle (unless you applied the experimental drop table patch). There is no way (and reason) to create custom tables via syntax.
A chain is the path that a packet can travel. Different tables contain different built-in chains (more below). User defined chains can be targets of built-in chains. If a packet traverses through a custom chain without a match, it is returned to the calling chain. If a packet traverses through a built-in chain, it is accepted or dropped depending on the default policy that chain.
Rules are what you put in chains to achieve a desired match.
Packet Traversal
Before you can make effective rules, you’ll first have to understand how a packet travels though Netfilter’s tables and chains.
More details of how a packet traverses netfilter can be found at http://ods.dyndns.org/ipt_flow.html. With the permission of the author, I’ve mirrored the page at http://www.knowplace.org/netfilter/ipt_flow_mirror.html.
Bootstrapping Iptables
Chain syntax
- Create a new chain
iptables -N name_of_chain
- Delete an empty chain – only for custom chains
iptables -X name_of_chain*
*if name_of_chain is omitted, it deletes all custom chains.
- Change the default policy for a built-in chain
iptables -P name_of_chain name_of_policy*
*DROP or ACCEPT
- List the rules in a chain
iptables -L name_of_chain
- Flush the rules out of a chain
iptables -F name_of_chain*
*if name_of_chain is omitted, it flushes all chains.
- Zero the packet and byte counters on all rules in a chain
iptables -Z name_of_chain
Rule syntax
A typical Iptables rule command will specify:
- A table (-t table_name). If omitted, this will default to the filter table. Other built-in tables are nat and mangle.
- A rule action to perform on a chain to either append (-A) , delete (-D) or replace (-R) or insert (-I) followed by the name of a chain in this table
- Built-in chains for the filter table are INPUT, FORWARD and OUTPUT
- Built-in chains for the nat table are PREROUTING, POSTROUTING and OUTPUT
- Built-in chains for the mangle table are PREROUTING and OUTPUT
- What to match – Available matches are (this list is incomplete):
- -p (protocol: TCP, UDP, ICMP, etc – can be numeric – see /etc/protocols)
- -s (source address)
- -d (destination address)
- -i (incoming interface)
- -o (outgoing interface – note that this specifies the interface to send the packet; this does not match the interface origin of the packet)
- –fragment (will only attempt to match second and further fragments of fragmented packets since there is no way to tell the source and destination ports, or ICMP type of such a packet)
- –dport (destination port)
- –sport (source port)
- –-port (source and destination ports are equal to the specificified value)
- –mark (nfmark value)
- –tcp-flags (allows TCP flags based matching)
- –syn (shorthand for –tcp-flags SYN,RST,ACK SYN)
- –tcp-option (examines the numeric value of the TCP option in a TCP header – will drop packet if the TCP header is incomplete)
- –state (NEW, ESTABLISHED, RELATED, INVALID)
- –mac-source (source MAC address)
- -m unclean (this actually loads a module to attempt to match unusual or malformed packets – EXPERIMENTAL)
- –tos (TOS value of the packet)
- –ttl (ttl value of the packet)
General rate limit section
- –limit (match rate limiting – value can be give in seconds, minute, hour, or day)
- —limit-burst (maximum burst number before the imposing the set rate limit)
IP based rate limit section (TCP) – experiemental
- –iplimit-above – allows you to restrict the number of parallel TCP connections by IP address or address block
Owner matching section
- –uid-owner userid (matches if the packet was created by a process with the given effective numeric user ID)
- –gid-owner groupid (matches if the packet was created by a process with the given effective numeric group ID)
- –pid-owner processid (matches if the packet was created by a process with the given process ID)
- –sid-owner sessionid (matches if the packet was created by a process in the given session group)
Port scan detection section – experimental
- –psd-weight-threshold (threshold)
- –psd-delay-threshold (delay)
- –psd-lo-ports-weight (weight)
- –psd-hi-ports-weight (weight)
- Where to send the packet if it matches. Available targets are:
- ACCEPT – accept the packet
- DROP – silently drop the packet
- REJECT – drop the packet and inform the sender
- LOG – log the packet via syslogd and continue traversal
- ULOG – send the packet to an userspace logging process (experimental)
- MIRROR – swap the source/destination IP address and resend the packet (experimental)
- QUEUE – queue the packet to an userspace process – if there is no userspace process, the packet is eventually dropped
- RETURN – return to previous (calling) chain
- Name_of_a_custom chain – user defined, typically in lowercase but can be in uppercase as well
For example: iptables -t mangle -A PREROUTING -m state –state NEW -d 255.255.255.255 -i eth0 -j DROP (this command appends a rule to the PREROUTING chain of the mangle table, loads the state module, matches packets that initiate new connections to eth0 with a destination address of 255.255.255.255 and drops the matching packets without logging it)
Iptables rules for a simple masquerading gateway (no server services)
- Blocks all new connections unless initiated from the “protected” network.
iptables -N state_chk
iptables -A state_chk -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A state_chk -m state –state NEW -i ! eth0 -j ACCEPT
iptables -A state_chk -j DROP
- Jump to the state_chk chain from INPUT and FORWARD chains.
iptables -A INPUT -j state_chk
iptables -A FORWARD -j state_chk
- Masquerade connections – only needed on the firewall box if you have an internal network that you wish to route traffic to and from the Internet.
- Enable IP forwarding between the interfaces – remember to disable this if you’re going to unload the Iptables rules.
echo “1” > /proc/sys/net/ipv4/ip_forward
- Load the NAT modules – needed only if you compiled as modules
modprobe iptable_nat
modprobe ip_nat_ftp (needed only if you plan on using FTP)
- Enable IP masquerading – Use if your eth0 has a dynamic IP address. For static IP, it’s recommended that you use source NAT instead.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- Enable source NAT – Use if your eth0 has a static IP address.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to ip_address_of_eth0
Port Forwarding
Port Forwarding in Netfilter is done with Iptables. You do not need another tool (such as ipmasqadmin w/ Ipchains). This is only needed if you need to forward traffic from one machine to another. Note that this is different from redirecting traffic.
Port forwarding under Netfilter is done via a two step process.
- Destination NAT the packets (changes the destination IP address in the IP header and port number in the TCP/UDP header)
iptables -t nat -A PREROUTING -i eth0 -p protocol -d ip_address_of_eth0 –dport original_port_number -j DNAT –to destination_ip_address:destination_port_number
- Forward the natted packets (allow the natted packet to be forwarded)
iptables -A FORWARD -i eth0 -o eth1 -p protocol -d destination_ip_address –dport destination_port_number -j ACCEPT
Note that port forwarding also requires IP forwarding and masq’ing or source NAT (the return packets need their source IP addresses to be modified as well).
Putting it together (rc files and such)
Now that you have your first working firewall, you’ll probably want to keep these rules in effect between boots. There are basically two options. The first is to include all of the rules and syntax in a custom rc shell script. The second is to use the iptables-save and iptables-restore commands (currently experimental and only recommended for brave souls).
To use the rc script approach, start your firewall rc file immediately after your network initiation. Actually, the exact time that you start your firewall rc script isn’t that crucial because you can setup rules for interfaces that don’t exist.
Iptables help
Note that below is simply the output of ‘iptables -h’. It is not a complete list of options. For more details, please see the iptables(8) man pages.
iptables v1.2.2 Usage: iptables -[ADC] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -h (print this help information) Commands: Either long or short options are allowed. --append -A chain Append to chain --delete -D chain Delete matching rule from chain --delete -D chain rulenum Delete rule rulenum (1 = first) from chain --insert -I chain [rulenum] Insert in chain as rulenum (default 1=first) --replace -R chain rulenum Replace rule rulenum (1 = first) in chain --list -L [chain] List the rules in a chain or all chains --flush -F [chain] Delete all rules in chain or all chains --zero -Z [chain] Zero counters in chain or all chains --check -C chain Test this packet on chain --new -N chain Create a new user-defined chain --delete-chain -X [chain] Delete a user-defined chain --policy -P chain target Change policy on chain to target --rename-chain -E old-chain new-chain Change chain name, (moving any references) Options: --proto -p [!] proto protocol: by number or name, eg. `tcp' --source -s [!] address[/mask] source specification --destination -d [!] address[/mask] destination specification --in-interface -i [!] input name[+] network interface name ([+] for wildcard) --jump -j target target for rule (may load target extension) --match -m match extended match (may load extension) --numeric -n numeric output of addresses and ports --out-interface -o [!] output name[+] network interface name ([+] for wildcard) --table -t table table to manipulate (default: `filter') --verbose -v verbose mode --line-numbers print line numbers when listing --exact -x expand numbers (display exact values) [!] --fragment -f match second or further fragments only --modprobe= try to insert modules using this command --set-counters PKTS BYTES set the counter during insert/append [!] --version -V print package version.
Posted in Linux | Comments Off on IPTABLES – Configuration & Syntax
January 9th, 2008 admin
- Requirements:
Access to Primary & Secondary DNS
Access to Web Server
Access to Mail Server
Access to any other servers to be setup
- MAIL setup
Add appropriate name to the /etc/sendmail.cw (eg. mail.blue.net.au)
Add appropriate redirection details to /etc/mail/virtusertable
Add appropriate access levels to /etc/mail/access
Restart sendmail
- WWW setup
Create index.html file in directory /home/httpd/html/NEWDOMAIN/html
Add new virtual domain to the end of /etc/httpd/conf/httpd.conf
Restart httpd
- DNS setup
Add appropriate line to /etc/named.conf and/or /etc/named.boot
Create appropriate file in /var/named
Do same on both Primary & Secondary DNS
Restart named on both machines
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on How to add virtual domain
January 9th, 2008 admin
DISCLAIMER:
You are following these suggestions at your own risk. We do not claim them to be correct, complete or working for you. We will not support the instructions. We will not be bound by any liabilities neither direct nor implied. YOU ARE ACTING AT YOUR OWN RISK. If you are not sure of what you are doing we suggest you contact an expert. Otherwise we are happy to be of service and your comments are appreciated: support@blue.net.au
- Shutdown server when convenient
- Install disk drive
- Setup BIOS on bootup
- Start server normally.
- Go to command prompt
- Type: fdisk /dev/hdc to configure the new partition and / or to get rid of the old (WIN) partition
- /sbin/mkfs -c /dev/hdc1 (checks the drive before making the file system)
- /sbin/mkfs /dev/hdc1 formats the new partiton(s)
- e2fsck -c /dev/hdc1 will do a read test checking for bad blocks on the drive, again. This is important to do with pre-loved drives.
- Edit /etc/fstab to include the new file system, so it is available when you restart the computer. This can also be done with linuxconf (in Config / File System / Access local drive)
- You should also mount (also possible through linuxconf) the new file system. The command would be: mount /dev/hdc1 /aux
- Then you can start using the new disk. REBOOTING (like in Windows) IS NOT NECESSARY.
Extract from the SLUG.org.au mailing list: REPLACING A DISK WITH ANOTHER
On Wed, 29 Mar 2000,
Matthias Oertli generated:
>Hi all,
>I need to copy the contents of a linux partition onto a bigger
>partition on a replacement harddisk. I’d like an exact copy with all
>the permissions intact, etc.
>Would a simple cp -a /oldhd/* /newhd/* do the trick is there a
>better way?
* get tomsrtbt distro, install onto a floppy.
* turn off putr, install new disk, leave in old disk
* boot tomsrtbt & login
* mount /dev/hdold /mnt (or whatever)
* mkdir /mntnew
* mke2fs /dev/hdnew (assuming that there is no filesystem on this disk already)
* mount /dev/hdnew /mntnew
* cd /mnt
* tar cf – * | (cd /mntnew ; tar xf -)
* wait for a while
* once done, check to make sure the /mntnew filesystem seems intact
* umount /mntnew and /mnt
* mount the root partition, edit /etc/fstab on *it* (not the tomsrtbt) to make sure you mount the new drive in the right place
* reboot
* take out tomsrtbt disk 😉 the important line here is the tar line, this will preserve symlinks (a few caveats apply) and permissions and everything while copying a directory tree to another directory/filesystem/etc hope this helps —
jamesw
I think that you’ll need the second tar to be “tar xfp” (I usually use “tar xvfp” for amusement’s sake).
Man tar says:
-p –same-permissions
–preserve-permissions
Extract all protection information. from which I have always concluded that without -p you get the operator (root’s) current permissions on everything.
You probably want an “l” or “–one-file-system” option on the first tar too, so that it doesn’t follow a symlink onto some partition other than /mntold.
— Andrew
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on How to add a new / extra disk to server
January 9th, 2008 admin
Setting up a mysql database for a user
======================================
Note. There is a very popular administration tool called phpMyAdmin at
http://www.phpmyadmin.net
Login to mysql and add an accout and a new database.
—————————————————
1. Login to mysql with your mysql root password:
Note. If this fails, maybe this is a first time login. See below.
$ mysql -uroot -p
Enter password:
Welcome to the MySQL monitor.
mysql>
2. Use the MYSQL admin database
mysql> use mysql;
3. Add a user called XXX with password YYY:
mysql> insert into user (host, user, password) values(‘localhost’, ‘XXX’, password(‘YYY’));
Query OK, 1 row affected (0.04 sec)
4. Create a database for WWW called ZZZ:
mysql> create database ZZZ;
Query OK, 1 row affected (0.01 sec)
5. Allow XXX to administer the database called ZZZ:
mysql> grant all privileges on ZZZ.* to ‘XXX’;
Query OK, 0 rows affected (0.02 sec)
6. Tell mysql to update the mysql users and exit:
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit;
Bye
$
First time root login to mysql only.
———————————–
1. First time mysql login (no mysql root password set yet):
$ mysql -uroot
Welcome to the MySQL monitor.
mysql>
2. Set your system wide mysql root password. Change the xxxxxx to your
password. Be careful to keep the quotemarks around the word root and
your xxxxxx:
mysql> use mysql;
Database changed
mysql> update user set password=password(‘xxxxxx’) where user=’root’;
Query OK, 2 rows affected (0.00 sec)
Rows matched: 2 Changed: 2 Warnings: 0
3. Finish:
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit;
Bye
$
Disclaimer:
By reading and/or using the information within this web page you agree to hold the author, publisher and all related entities harmless from any claim directly or indirectly related to the information given or the use of any part of the information on this web site. Use at own risk. No responsibility taken.
Posted in Linux | Comments Off on Add users to MYSQL
January 9th, 2008 admin
Wed Mar 1 16:14:18 CET 2006
(as copied from :
http://rudd-o.com/archives/2006/02/27/hardening-a-linux-server-in-10-minutes/ )
Did you know that a freshly installed Linux server can be hardened in
less than 10 minutes? Heres how!
Print these instructions out, and keep them posted on a wall in your
office or home. Before plugging a freshly installed network server,
simply remember to follow these instructions. Make these instructions
second nature to you.
Youll need a bit of experience with the Linux command-line environment,
as the following commands are usually issued in a terminal. You will
need root access on your server as well. By the way, the following
instructions apply to any LSB-compliant Linux distribution, but Ill use
Fedora Core as an example.
Step 1: turn all unneeded services off
There are two kinds of network services:
those that get started as init.d services
those that get started by xinetd
This distinction is important, as xinetd can start services on demand,
while services started through init.d run all the time.
Okay, time to start securing your server. On a terminal, as root (and,
for the purposes of this tutorial, assume this from now on) run netstat
-ltunp. You should see a listing like this one:
[root@andrea rudd-o]# netstat -ltunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3493 0.0.0.0:* LISTEN 30562/upsd
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 12461/mysqld
tcp 0 0 0.0.0.0:6543 0.0.0.0:* LISTEN 12490/mythbackend
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1771/portmap
tcp 0 0 0.0.0.0:6544 0.0.0.0:* LISTEN 12490/mythbackend
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 31537/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2143/sendmail: acce
tcp 0 0 :::80 :::* LISTEN 5024/httpd
tcp 0 0 :::22 :::* LISTEN 2009/sshd
tcp 0 0 0.0.0.0:19 0.0.0.0:* LISTEN 2019/xinetd
Those are all processes listening to specific ports. As you can see,
the PID (process ID) and the program name are displayed as well.
Make two lists: – one for the services you absolutely need (which you
should already know by heart), and – one for the services that are
expendable or you can start manually when theyre needed (tip: each
program name usually ships with a man page).
Shutdown each service on the second list (except for xinetd) Thats a
pretty straightforward task. Each one of those services are started by
init.d. To find out the name of the service control script, just hop to
/etc/rc.d/init.d and look for a file with a name similar to the program
name.
Example: suppose I dont need mythbackend. To stop it:
/etc/rc.d/init.d/mythbackend stop (some distributions provide the
1 of 3 16/03/2006 22:05
The R Zone: Hardening a Linux Server in 10 Minutes http://crashrecovery.org/hardening.html
service mythbackend stop command, which is easier on your fingers).
Now, to disable it: chkconfig –del mythbackend. After doing this, you
should check to see if the offending service went away, with the same
netstat -ltunp command.
That pesky xinetd
Great. So you got rid of the unneeded services. But theres more. As we
saw earlier, xinetd has its own ways. In practice, this means that some
services will be started on demand thus, you wont see them under your
netstat -ltunp listing.
To find out which services xinetd manages, hop to /etc/xinetd.d and do
a directory listing. You should see some service configuration files.
Identify the ones you wont be using, and edit each one of them, adding
a line that says disable = yes between the curly braces.
Note that some services already ship with disable = yes, but some ship
with disable = no. If one of the configuration files says disable = no,
just change it to disable = yes. Now reload xinetd with the famous
/etc/rc.d/init.d/xinetd reload, and run netstat -ltunp again, just to
be sure.
Thats step 1. With a bit of practice, you should be doing this in five
minutes or less.
Step 2: limit access to running services using iptables
Great, our server now runs the absolutely required services, and no
more. But some of those services arent meant to be accessed from
everywhere, right? For example: I may have a MySQL database server
running, but that doesnt mean MySQL should be accessible from any
random IP address on the Internet, right?
So, well use the firewall to stop evil at the door. Again, make a list
of services. For each item on the list, identify which IP addresses
should be able to reach the service. For each service on your list,
write down the TCP/UDP port(s) they use.
In my example, MySQL uses TCP port 3306, and should only be accessible
by localhost (127.0.0.1).
Time to compose and activate the iptables rules. Doing a quick check
with iptables -L, I can see that my INPUT chain (the one Ill be working
with, since I want to disallow INPUTs to my server) is empty:
[root@andrea xinetd.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Your mileage may vary, because your distribution may already have set
up some basic iptables rules; to make these instructions foolproof, I
will be inserting rules at the beginning of the INPUT chain.
In this case, I want to allow access to 127.0.0.1:3306, and deny access
to everyone else on port 3306, in that order. So two rules are needed.
Ill add the allow rule into position 1 (the very first):
[root@andrea xinetd.d]# iptables -I INPUT 1 –protocol tcp –destination-port 3306 -s 127.0.0.1 -j ACCEPT
[root@andrea xinetd.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — localhost.localdomain anywhere tcp dpt:mysql
Great. Im telling the firewall to -j ACCEPT all –protocol tcp
connections to –destination-port 3306 from the address -s 127.0.0.1.
Now, Ill insert the deny rule into position 2:
[root@andrea xinetd.d]# iptables -I INPUT 2 –protocol tcp –destination-port 3306 -j REJECT
[root@andrea xinetd.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp — localhost.localdomain anywhere tcp dpt:mysql
REJECT tcp — anywhere anywhere tcp dpt:mysql reject-with icmp-port-unreachable
2 of 3 16/03/2006 22:05
The R Zone: Hardening a Linux Server in 10 Minutes http://crashrecovery.org/hardening.html
See how easy it is? Let me explain: rule 2 tells the firewall to -j
REJECT all –protocol tcp connections to –destination-port 3306 from
any address (since I omitted the address). Since rules are processed
top-down (from 1 to n), the first one that matches an incoming
connection is applied. If no rules match, then the default policy
(which is normally ACCEPT) kicks in.
Lather. Rinse. Repeat for every service that you want to secure.
Finally, save the rules. For this, youll need to use your distributions
tools. For Fedora Core, thats as easy as issuing the command service
iptables save and ensuring that the iptables service runs at boot time:
chkconfig –add iptables.
Its worth noting that some people prefer to -j DROP instead of DENYing.
DROP means that your server will ignore connection attempts (neither
denying connections nor accepting them). I prefer DENY, because its
easier to pinpoint a problem with iptables rules that way, and (most
importantly) DROP rules make those ports appear as filtered to a
hostile port scanner (which hints to the attacker that a service is
running).
So thats it, from insecure to secure in 10 minutes! If you have any
suggestions or questions, please leave them as comments below. Happy
hacking!
If you found this useful, please leave a donation for the author.
This entry was posted on Monday, February 27th, 2006 at 18:55 and is
filed under Publicaciones, Software libre, Linux. You can follow any
responses to this entry through the RSS 2.0 feed. You can leave a
response, or trackback from your own site. You can also share and
bookmark this article on the following services: .
Except where expressly acknowledged, this work is distributed and
licensed to you under the terms of this license. For other licenses,
contact Rudd-O.
No Responses to Hardening a Linux server in 10 minutes
You can subscribe to the RSS feed for comments on this post. You can
also reply to this post directly in your weblog, and take advantage of
the TrackBack URI to record your reply in this post.
Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed,
Posted in Linux | Comments Off on Hardening a Linux Server in 10 Minutes