Archive

Archive for the ‘Server Admin’ Category

Set Up Secure FTP

February 2, 2009 1 comment

As popular as FTP is FTP communication is not secure, all communication is plain text and can be easily captured. Despite this serious weakness, few do anything to secure it. There are simple ways to correct this with VSFTPD.

SSL/TLS With FTP

FTPS is also known as FTPS Secure or FTP-SSL.  What FTPS does is add the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) to the normal FTP on the same port 21.  It is easy to confuse FTPS on port 21 with SFTP which is actually SSH on port 22.
Add these settings to your /etc/vsftpd.conf file and you will have an anonymous ftp server that will allow anyone to download files from /var/ftp but they cannot upload. It will also protect all of your users as they must ftp into their home accounts using ssl.

anonymous_enable=YES
local_enable=YES
rsa_cert_file=/ etc/vsftpd.pem
ssl_enable=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES

You do not need to create the self-signed certificate as they are already created by the vsftpd server as you can see listed. Notice that ssl is enabled only for local logins, users who have accounts on the machine. The connection will still be on port 21. Once you have the server set up you will need a client that is ftps compatible.
 
Create Self-Signed Certificate
You can create a self-signed certificate with this command which will create a certificate for 1 year and the pem file is then saved in the /etc/directory. Note that you will need to change the /etc/vsftpd.conf file to enter the path of this file. You will be asked several questions which will identify your organization.
# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem
Generating a 1024 bit RSA private key
……++++++
..++++++
writing new private key to ‘/etc/vsftpd.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MT
Locality Name (eg, city) []:Trout Creek
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example LTD
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:example.com
Email Address []:fsmith@example.com

Edit /etc/vsftpd.conf and comment out the rsa certificate and private key files that are there by default and add these lines which show the path to your self-signed certificate.
rsa_cert_file=/etc/vsftpd.pem
rsa_private_key_file=/etc/vsftpd.pem
Restart the ftp server.

service vsftpd restart

Using a FTP Client that is SSL/TLS Compatible

The popular Linux ftp client gFTP will not connect using SSL when you are using self-signed certificates, you would have to purchase a real certificate for your business. Another Linux alternative is to use ftp-ssl. This is a command line version of ftp and actually will replace ftp with this client. It functions that same as ftp. It will attempt to connect using ssl, if it is not enabled it will drop back to regular ftp. The Filezilla version for Linux continued to crash when the connection was made, so it is not a reliable option.
When you connect you will be asked to accept the self-signed certificate, either which you made or the default for vsftp.

Accept the certificate and you have encrypted FTP on port 21.
If you have users connecting with FileZilla for Windows, which is reliable, you will need to make these changes so they can log in with SSL. Note the port is still 21 but the Servertype is now FTP over SSL.

Categories: Server Admin

Understanding Network Address Translation, NAT

January 31, 2009 Leave a comment

Network Address Translation (NAT) is one of the basic functions of a circuit level gateway. The simple purpose of NAT is to hide the IP addresses of a private network from the outside world.

Normally, when a router forwards a packet from one segment to another, the packet is unchanged. With NAT, as a packet crosses from a trusted segment of a circuit level gateway to an untrusted segment, the packet is rewritten so that the packet’s source address as it appears on the private segment is replaced by a translated source address. The translated source address is what the outside world sees. Thus, the private address remains hidden from the outside world.
nat1

When a host on a public network transmits a packet to a host on the private network, the source host addresses the packet to the private host’s publicly translated address. The sender on the public side does not know the destination host’s true address. As the packet crosses the circuit level gateway, the gateway rewrites the packet so that the destination address is translated to the destination host’s private address.

nat2

This image illustrates the changes in source and destination addresses as packets cross a circuit level gateway performing network address translation

nat3

One to One Translation
One form of NAT establishes a one to one translation between an equal number of private and public host addresses. For example, each host address on a Class C network on the private side of a circuit level gateway is uniquely mapped to a corresponding host address on a Class C network on the public side of the gateway. If 10.1.1.0/24 is the private network address and 172.19.19.0/24 is the public network address, then outbound packets with a source address of 10.1.1.5 can always be rewritten with a translated source address of 172.19.19.5, and inbound packets with a destination address of 172.19.19.5 can be rewritten with a translated destination address of 10.1.1.5. The mapping is persistent and bi-directional. Therefore, connections may be initiated from either side of the circuit level gateway unless a default deny policy is applied.

Pool of Translated Addresses
One form of NAT maps a large block of addresses from the private network to a small pool of addresses on the public segment. Multiple Class A addresses may be mapped to part of a Class C network block. If 10.0.0.0/4 is the private segment’s network address and 172.19.19.0/28 is the public pool of addresses, then an outbound packet with a source address of 10.1.1.5 may be rewritten to have a translated source address of any host address in the pool of 172.19.19.0/28. The NAT gateway will then create a temporary entry in its internal translation table to track the mapping. An inbound packet’s destination address cannot be translated unless a corresponding entry exists in the NAT table. If a current translation exists in the NAT table, the inbound packet’s destination address will be rewritten in accordance with the NAT table entry. The mapping is not persistent and is only temporarily bi-directional. An inbound connection may be accepted only until the NAT table entry expires.

Single Translated Addresses
The form of NAT commonly (but not exclusively) used in commercial circuit level gateways maps any number of addresses from the private network to a single address on the public segment. Given a private segment with the network address 10.0.0.0/8 and a NAT policy that sets 172.19.19.130 as the public address, all outbound packets from the private network will be rewritten to have a translated source address of 172.19.19.130. To correctly map replies to the private host that initiated the connection, the source port number of the outbound packet must also be translated. The NAT gateway will then create a temporary entry in its internal translation table to track the translated source address and port number. An inbound packet’s destination address and port number cannot be translated unless a corresponding entry exists in the NAT table. If a current translation exists in the NAT table, the inbound packet’s destination address and port number will be rewritten in accordance with the NAT table entry. The mapping is not persistent and is only temporarily bi-directional. An inbound connection may be accepted only until the NAT table entry expires.

This image illustrates the changes in IP addresses and port numbers as packets cross a circuit level gateway performing network address and port translation.

nat Chains
netfilter implements network address translation in the nat table. This pre-defined table consists of three built-in chains, the PREROUTING, OUTPUT and POSTROUTING chains. Rules in the PREROUTING chain apply to inbound packets (packets arriving at the gateway from any direction). Rules in the OUTPUT chain apply to locally generated packets (packets that are generated on the gateway itself). Rules in the POSTROUTING chain apply to outbound packets (packets leaving the gateway in any direction).

nat Targets
The nat table includes the built-in targets MASQUERADE, SNAT, DNAT, NETMAP and REDIRECT.

The MASQUERADE target is available in the POSTROUTING chain. MASQUERADE is intended to be used where a firewall’s public side IP address is dynamically assigned, such as where an ISP assigns IP addresses by DHCP. MASQUERADE translates all private network addresses to the single address of the external interface as illustrated, performing port translation as needed and rewriting the destination address and port of replies as needed. When the firewall’s external IP address is released or changed, all translations are dropped.

The SNAT target is available in the POSTROUTING chain. SNAT may be used on a firewall with statically assigned IP addresses. SNAT provides outbound (more trusted to less trusted) network address translation to a pool of public side addresses such that the source address of each outbound packet is translated to an address from the pool, with port translation being performed as needed and the destination address and port of replies being rewritten as needed.

SNAT can use a single public side address as an alternative to a pool of addresses, making SNAT comparable to MASQUERADE. However, SNAT should not be used with dynamically assigned public addresses.

Conversely to SNAT, the DNAT target is available in the PREROUTING and OUTPUT chains and provides inbound (less trusted to more trusted) network address translation. When a connection is initiated from a less trusted network, the destination address is the address of the firewall interface that faces the originating network. DNAT translates the destination address to the address of a host on a more trusted segment. Optionally, the destination port may also be translated. The source address and port of replies from the more trusted segment will be rewritten as needed.

DNAT can use a pool of destination addresses and ports, providing a simple circuit level method of performing load balancing across a number of hosts such as a farm of web servers.

The NETMAP target provides static one to one translation between two network blocks of equal size.

The REDIRECT target is available in the PREROUTING and OUTPUT chains. REDIRECT translates the destination IP address of each packet arriving on any interface to the IP address of the interface on which the packet arrived. For example, REDIRECT will translate the destination address of any packet arriving at eth2. Optionally, the destination port may also be translated. Among other uses, REDIRECT facilitates use of transparent proxies whereby client software such as web browsers may be automatically redirected through the firewall to a proxy server without reconfiguration on the client side.

Wanted: A Career as a Linux Admin

January 12, 2009 1 comment

Here is a unique Linux Career Opportunity. We are currently looking for 1-3 people interested in developing into Linux Admins/Trainers. Our interest is in people we can train and develop over a 60 week course. What is unique about this course is that you will work for us while you are training. This will offset the cost of the course by as much as 50%. The course is $400 a month for the 15 months but up to $200 each month will provided by your work, writing for us. This means that you can get the course for half-price if you can keep up with the work load.
This course is put on by CyberMontana Inc. which trains as many as 75 students each week. We have a number of Linux training sites and business options.

What we are looking for:

1. Self-Motivated Individual

We are looking for someone who can get assignments done on their own. They can do research, problem solving and create documentation without needing someone’s help.

2. Ability to Write

Individuals who are interested must be willing and able to write clearly and be able to express themselves in English so that other can understand.

3. Tenacious

Problems are hard to solve at times. We need people who will aggressively pursue the problem solution until they can arrive at a solution. We are not interested in quitters.

4. Ability to Train with Patience

People are not easy to work with at times. We need trainers who will be patient and diligent despite difficulties with students.

5. Innovation

We are looking for people who have new ideas and new ways of working with technology. The Internet and Linux specifically is rapidly changing.

Outline of the Course
Stage 1: Basic Training (20 weeks)

The Basic Training Section will include 10 weeks of Server Administration and 10 weeks of LPI Certification Training. The goal of this section will be to not only test your desire to learn difficult information but provide you will the information to get LPI Certified, Linux + Certified or RHCT.


Stage 2: Disto Expert (20 week
s)

The second 20 weeks will focus on helping you become an expert in one Linux distribution. During this time you will be required to write extensively and set up a test lab in order to focus on skills with one distribution. This will be foundational for your future as an Admin/Trainer.


Stage 3: Project Documentation (20 weeks)

You will be assigned projects to document and provide solutions. During this section you may be assigned jobs with clients or act as a trainer in specific situations. This will all be done under supervision.

The ultimate goal is to not only provide you with the training and certifications that will get you into a Linux Career but also work toward providing you with a job.

If this looks like something you are interested in please send a 500 word example of your writing skills on a Linux topic and a resume to:

mike at beginlinux.com

This opportunity will be open to several individuals each quarter, you will have to apply to see if we have current openings.

Logwatch Fix on Ubuntu 8.10

January 9, 2009 Leave a comment

Logwatch Error
Logwatch is a program that will parse your logs and send you an email every day about what has taken place on your server, a very friendly program.

Installation is simple:
apt-get install logwatch

Edit the config file in /usr/share/logwatch/default.conf/logwatch.conf

Basically all you have to do is change the:

mailto = your_email_address

With Ubuntu I kept getting this error, though I checked, I could not find a solution so, as it looked like it was missing a location /var/cache/logwatch, I created one and it worked perfectly.

# logwatch
/var/cache/logwatch No such file or directory at /usr/sbin/logwatch line 632.

sudo mkdir /var/cache/logwatch

Now run the program as root with:

logwatch

or run in debug mode to get more information.

logwatch –debug 6

That will provide a lot of info.

Monitoring Multiple Servers with Nagios 3

November 28, 2008 3 comments

As an administrator you may be face with the task of constantly monitoring web servers, mail servers, ftp servers, etc. Basically, your organization wants all of their servers up and running all of the time. Nagios 3 offers an easy set up and configuration to make this happen so that you can monitor multiple servers and have Nagios alert you to problems. Nagios can notify you by email, pager or phone. This will allow you to have a life and count on Nagios to contact you when problems develop.

In the past Nagios has been a real difficult set up and configure job. Many have just given up and moved on. However, using Ubuntu 8.10 and the new Nagios 3 this is a breeze to set up and use effectively. Here are some key links to get you going:

Set up Nagios 3 on Ubuntu 8.10
Configure Web Server Monitoring
Configure Mail Server Monitoring


Take a Live Virtual Class on Nagios

nagio2

Nagios is based on Objects. Objects are hosts, services, contacts and timeperiods. A host is a physical device on your network like a server, router, switch or printer. Each of these hosts has an IP Address or MAC Address that you can use to monitor it with. A service is an attribute of the host. For example a service might be CPU load, disk usage, or uptime. A service might also be something that the host provides like HTTP, FTP, or POP3. Once you have set up a host and as service, Nagios will begin to monitor that service on the host. The contacts are the administrators that should get notified and how they should get notified when there are problems. Finally, timeperiods are blocks of time that determine when an administrator should get notified by Nagios. Put this all together, and you have a sophisticated monitoring process that will make your life easier.

Nagios has a web interface that you may log into so that you can see various hosts and services that you are monitoring. Here is an example.

nagios

Categories: Server Admin Tags: , ,

Elpicx 2.0 – Dual-Boot LPI Training For Ubuntu/Fedora

September 26, 2008 Leave a comment

Now you can use the recently released Elpicx 2.0 live DVD to dual-boot Ubuntu 8.04 and Fedora 9 KDE with LPI (Linux Professional Institute) training materials like test emulators, reference cards, study notes and exercises for the LPI certification exam. Elpicx 2.0 is available as a 1.6 GB download in German and English. The Elpicx homepage states that “Ubuntu-Documentation and LPIC-Documentation were added together with software to prepare for the LPI exams.” It seems the combination of the Ubuntu 8.04 LTS and Fedora 9 desktops along with the LPI training in one package may be the key. Newbies often show symptoms of frustration when left to sort through Linux lingo in the forums. Combining training with the distribution may be what we’ve all eben waiting for. Buy Elpicx 2.0 on DVD

Stopping Spam by Dumping it in a Blackhole

September 25, 2008 2 comments

Mail servers today are especially overburdened with Spam. This is actually costing organizations millions of dollars in purchasing hardware just to process the Spam. It takes server memory and CPU cycles to determine if an email is Spam or not and as Spam increases new servers have to be built to separate the good from the bad. Using Blackholes is a way to reduce the load on your server. Blackholes are databases of known Spammers that are kept so that you can include them in your mail server configuration to eliminate those email without having your mail server process each email. However, when using blackholes these DNS blacklists require Postfix to do a DNS lookup which will take resources from your server and create latency. However, this can be a significant reduction in Spam.

Gete more information about Postfix on a daily basis…try the Postfix Blog.

The examples below are for a Postfix Mail Server. One thing to note, there are a lot of Blackholes online, you need to check them closely to be sure they meet the needs of your organization. The ones we list are simply examples.

In the example below two kinds of lists are used to block spam, these are only illustrations you should research your list carefully. Each list will have an address that you can enter to access the list. These two are combined in one address. That address is then entered into your smtpd restrictions.

Exploits Block List (http://www.spamhaus.org/xbl/index.lasso)
The following information is taken from spamhaus site.

“The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.”

The Spamhaus Block List (http://www.spamhaus.org/sbl/index.lasso)
The following information is taken from spamhaus site.

“The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.

The SBL is queriable in realtime by mail systems thoughout the Internet, allowing email administrators to identify, tag or block incoming connections from IP addresses which Spamhaus deems to be involved in the sending or origination of Unsolicited Bulk Email (aka “Spam”).

The SBL database is maintained by a dedicated international Spamhaus team based in 9 countries, working 24 hours a day, 7 days a week to list new confirmed spam issues and – just as importantly – to delist resolved issues.”

These two lists are combined into this address.

sbl-xbl.spamhaus.org

smtpd_recipient_restrictions =
warn_if_reject reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_hostname
reject_invalid_hostname
check_helo_access pcre:/etc/postfix/helo_checks
check_sender_mx_access cidr:/etc/postfix/bogus_mx
reject_rbl_client sbl-xbl.spamhaus.org
permit

Address Sender Verification

One of the best methods of restricting SPAM is to require address verification. This means that Postfix will initiate a SMTP session with the client’s server to verify that it is a legitimate address. This takes time and resources but…it a very effective way to deal with SPAM. You will need to add the reject_unverified_sender option.

smtpd_recipient_restrictions =
warn_if_reject reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_hostname
reject_invalid_hostname
check_helo_access pcre:/etc/postfix/helo_checks
check_sender_mx_access cidr:/etc/postfix/bogus_mx
reject_unverified_sender
permit

There is a way to enhance this process. One thing that Postfix will do is to cache the addresses it checks out and saves them in memory. This is great because the system will not have to look the same address up again…unless you restart the server as the memory will lose the addresses. However, you can tell Postfix to write the addresses to a map file that will allow Postfix to cache them permanently. Use the address_verify_map feature to make this work.

address_verify_map = btree:/var/spool/postfix/verified_senders

If you did not want to cache the negative sender addresses you can use this parameter.

address_verify_negative_cache = no

Follow

Get every new post delivered to your Inbox.

Join 58 other followers