Linux.com

Community Blogs



Using SSHFS to remote mount a Windows System.

Try hard as we might, it's impossible to get away from the OS from Redmond.  All too often we need to be able to get a file off or onto a Windows system in a secure manor.  Samba won't work over the Internet, NFS isn't an option either over the internet.  Linux to the rescue, along with some FOSS for Windows. 

FUSE or File sytem in USEr space, allows Linux to create file systems of multiple kinds that can be mounted and manipulated by an unpriviledged user, meaning no root privileges are needed at any time.  SSHFS or SSH File System, is the type of file system we will use. Other Windows connectable file systems exist but since we are going over the open Internet and we want data integrity, and security I've chosen SSHFS for this.  I've tested it on win2k XP and 2003 server so far without a problem.

Step one: go to  http://sshwindows.sourceforge.net/download/ and grab the binary installation file for Windows. (Currently i386 version only) Install this on the Windows system you wish to mount from a remote location.  The process on how to install an application on Windows and create Users is an exercise I'll leave to the reader.  However to someone who is familiar at all with SSH running the install and answering it's questions should be straight forward.  NOTE: If you have cygwin installed you should install the SSH server with cygwins package manager as it will be less likely to cause a conflict. At this point, from your Linux box ssh into the windows box and make sure it all works.  Once it does.  You are done with the windows work.

 Step two:  If you are running RHEL/CentOS 5.x  the modules you need will already be installed in the running kernel, and the packages will be available in the normal repository.  RHEL/CentOS 4.x will require that you use either DAG's repository or do the normal configure/make/make install routine.  I highly recommend DAG's work as it's always rock solid, and his packages are correctly integrated into RH/CentOS system so as to not cause future conflicts.  Ubuntu and Deb (sarge and Lenny) both have FUSE available in the apt repository and the dependency will be brought in when you install SSHFS.  

Step three:  Install SSHFS With RHEL/CentOS you will need DAG's repository setup.  Then just yum install fuse-sshfs, or Ubuntu/Debian do apt-get sshfs.  All dependency's will be pulled.  The following should be taken care of before you begin.  Edit /etc/group (I use vigr) and add all users who you want to be able to use SSHFS into the group fuse.  Once this is done we are ready to test things out.

Now we get to mount our remote windows system.  Create a dir in your home directory to mount the remote system and then prepare to do a simple test run. 

 usage: sshfs [user@]host:[dir] mountpoint [options] 

 Is the proper format for running the command, and remember that if you skip the [user@] portion, just as in Linux it will assume that your current logged in user is the username to use on your remote server as well.  

 #> sshfs myname@mywinbox: /myhome/mountpoint  

This will grab the user home or C: (depending on System) mount it locally and give you access to read/write these files as if they were locally held.  Also at the same time any user on the Windows box will also be able to read/write the same file (no file locking is provided. ) so it's best to co-ordinate with the user on the other end if needed.  

At this point the movement of files will be at the same speed as a normal ssh, man sshfs can be read and used to fine tune the sshfs mount the most important from my viewpoint is the ability to set the UID and GID of the files so that the correct user has access to them.  Again since this isn't a comprehensive tutorial, I'll leave it to the reader to learn from the man page. 

 

Xen DomU clock issues

I just setup a Xen DomU (Debian Lenny) and found that when I tried to live migrate it between hosts, any pings would just hang.  I found my logs filled with clock warnings about going backwards in time.  Here is how I resolved this.

Read more... Comment (0)
 

Xen: Create a Jaunty DomU using xen-create-image

These are instructions for creating an Ubuntu Jaunty DomU on Debian Lenny Dom0 using Xen 3.2.1 that comes with Lenny.  I'm installing into an LVM rather than using a file image.  See this HowtoForge article for background of my particular setup.  This tutorial assumes you're working from a similar setup with an iscsi target and LVM-based VMs.

 The reason I'm posting this is because I had such a hard time finding some combination of tools that worked correctly to do this.  I tried a few options but had little success:

  • debootstrap - Didn't seem to work with Jaunty at all.  It would just crash
  • vm-install - Doesn't support LVM-based VMs by default, but there is a procedure for converting the qcow image to an LVM
What I found is that I could find no way of creating the LVM-based VM in Lenny.  I actually had to create a sid instance first and then install my open-iscsi and xen-utils into the sid VM, then use SID to populate the VM. 

Perform the following actions in your SID vm or workstation

Note:  You'll need your /etc/xen-tools/xen-tools.conf setup like the instructions in the HowtoForge article (things like gateway, netmask, broadcast, passwd, fs type, install-method, etc).

Whenever I would try to build the vm with the default partitions, it would always fail.  For some reason the resulting vm would have an fstab that shows something like sda1 and sda2 instead of xvda1 and xvda2.  I had to create my own partition scheme before anything would work right.  Here's mine:

$ sudo cat /etc/xen-tools/partitions.d/with-data
[root]
size=4G
type=ext3
mountpoint=/
options=sync,errors=remount-ro

[swap]
size=512M
type=swap

[data]
size=4G
type=ext3
mountpoint=/data
options=nodev

 You will need to create a symlink for jaunty so that the option is recognized at the command-line. 

$ cd /usr/lib/xen-tools

$ sudo ln -s edgy.d jaunty.d 

Now, finally, you can create the image.  This step may take some time

$ xen-create-image --hostname=myserver --dhcp --lvm=vg_xen --dist=jaunty --mirror=http://archive.ubuntu.com/ubuntu --size=4Gb --memory=512Mb --swap=512MB --arch=i386 --partitions=with-data

 Since you're building the LVM on a different machine than it will eventually run on, you'll need to  copy the resulting xen config to the correct server:

$ scp /etc/xen/myserver.cfg root@realhost:/etc/xen/

That should be all you need to get this working.

 

Remote port tunnelling with SSH

Hi there, here's a quick blog about SSH port forwarding, let's describe the scenario with an example, of course port forwarding may be applied to everythin, not only to mysql as reported in the sample

 

Assume you've a remote host with MySQL server installed and running, of course for security reasons you've forbidden TCP connections from every machine except localhost, or at least this is how I usually configure my services. Your Python, PHP, Java apps and even CLI apps are happy with it, they can access mysql backend by connecting to localhost on 3306 port.

For security reasons when you're inside the mysql server you can connect to my by using:
myserver:~$ mysql --host=127.0.0.1 --user= --password=
pretty safe and good, I usually configure MySQL in this way:
myserver:~$ cat /etc/mysql/my.cnf|grep "bind-address"
bind-address = 127.0.0.1

so far, everything is perfect now but if you need to manage your remote db with MySQL Administrator or with your preferred tool how can you connect to this machine ? Easy, let's forward remote 3306 port to local 3306 or other port if needed, then you can connect to localhost and use the SSH tunnel in between. from your local machine:
localmachine:~$ ssh -l -L 3306:localhost:3306
So you open an ssh console to your machine from your localhost, with the connection you ask remote to port forward its 3306 port to your local 3306.
Now try to open your remote db from localhost, so if you use mysql command line utility you need to type:
localmachine:~$ mysql --host=127.0.0.1 --user= --password=
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 254
Server version: 5.0.51a-24 (Debian)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

And that's it !

Obviously you can even use your favorite admin tool, not only mysql cli

 

Pretty easy and quick

Hope it helps someone

Ben

 

Zeroshell Linux: Captive Portal, Internet Gateway and Router (part3)

Zeroshell Linux: Captive Portal, Internet Gateway and Router (part3) is the last part of Eric Geier's excellent series on using Zeroshell Linux to provide secure LAN services, such as wireless access point, name services, firewall, and lots more. Enjoy!
 

Preventing unauthorized SSH access using Denyhosts

Once when I was doing a regular tail -f /var/log/messages, I came across a number of messages like these.

sshd[29924]: PAM_NAM: User donk unknown to the authentication module
sshd[29924]: Failed password for invalid user donk from 'IP address here' port 63410 ssh2

My SSH was under continuous attack! . Hmm.., until I found DenyHosts..

DenyHosts is a cool little python script by Phil Schwartz, which will parse the logs and identify repeated authentication failures and add the IP address of the offenders to /etc/hosts.deny, thus preventing them to connect to the server in the first place.

Installation

As the program was not available in the official repositories for SLES 10 SP1, I had to do some manual configuration. The installation steps were detailed in the ‘Readme.txt' file within the package.

First, the python-devel package has to be installed. It is not installed by default

zypper install python-devel

Download the latest version of DenyHosts from http://denyhosts.sourceforge.net/

The version available at the time of my setup was 2.6. After uncompressing the sources

tar zxvf DenyHosts-2.6.tar.gz

cd DenyHosts-2.6

python setup.py install

The above step install the scripts and config files in /usr/share/denyhosts and in the site-packages of the python directory.

Configuration

Before proceeding the file denyhosts.cfg must be edited to suit the installation environment.The example config file is fully commented so it should be easy to follow. I had the following config

#/usr/share/denyhosts/denyhosts.cfg

SECURE_LOG = /var/log/messages
HOSTS_DENY = /etc/hosts.deny
LOCK_FILE = /var/run/denyhosts.pid

After this, I did the following step (as mentioned in the readme) to run denyhosts as a daemon during system start.

cd /usr/share/denyhosts

chmod 700 daemon-control

ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts

/etc/init.d/denyhosts start

tail -f /var/log/denyhosts # will contain messages related to the start

If it is working as intended, enable it to start automatically by doing

chkconfig denyhosts on

It had happend occassionally that some valid IP's are listed in /etc/hosts.deny. To prevent this, the genuine IPs from which users connect can be added to a file called ‘allowed-hosts' in /usr/share/denyhosts/data. There is no specific format. Just add the IPs to the file one below the other. Also, edit denyhosts.cfg to change the following variable and restart denyhosts.

ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES

That's it..

 

Testing mail servers with swaks

Article Source: http://www.cmdln.org
Date: April 16th 2009

 I hadn’t seen this tool before so I figured I would share. Swaks is the swiss army knife SMTP according to the homepage.

Full Entry

 

Perl : Creating a compiled daemon

One of the more exciting techniques I learned while working on my server project for the last year was how to create a daemon in Perl and then compile it.

Yes Perl can be compiled. I had no idea, but its a wonderful thing. Combine this with a fork statement, a while loop and your all set to have a daemon.
Read more... Comment (0)
 

Improving debians nginx init script

Article Source: http://www.cmdln.org
Date: April 27th 2009

nginx is a high performance HTTP and mail proxy server written by Igor Sysoev.

I’m not sure what the init scripts do for other distros but it seems a bit of an oversight to leave out checking the config file when running the init script

Full Entry

 

Project Review: eBox Platform

eBox Logo

The eBox Platform is a suite of software for managing networking and other features.  I stumbled onto eBox a few years ago and have since used it in many locations including my home network.  The project was and still is hosted in Spain by some very capable folks.  Community involvement and grants have supported some of the developers.

Read more... Comment (0)
 

Puppet, what was I doing?!?

Been busy today setting up puppet on a Xen virtual environment. 5 virtual machines in my lab managed by puppet.

Puppet is a system that enabled you to manage configuration files and information across multiple hosts.

I really dont know what I've been doing without it. Basicly you can setup your configuration profile and all machines current and future consume that configuration set.

Today I have been trying it with distributiong sudoers, ldap authentication, nfs configuration, firewall.. It's really usefull.

I definiently recomend this for anyone that wants a "standardized multinode environment".

 
Page 8 of 9

Upcoming Linux Foundation Courses

  1. LFD331 Developing Linux Device Drivers
    13 Oct » 17 Oct - Virtual
    Details
  2. LFS425 Linux Performance Tuning Crash Course
    16 Oct » 16 Oct - Düsseldorf, Germany
    Details
  3. LFS220 Linux System Administration
    20 Oct » 23 Oct - Virtual
    Details

View All Upcoming Courses


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board