Linux.com

Community Blogs



Zeroshell Linux: Captive Portal, Internet Gateway and Router (part3)

Zeroshell Linux: Captive Portal, Internet Gateway and Router (part3) is the last part of Eric Geier's excellent series on using Zeroshell Linux to provide secure LAN services, such as wireless access point, name services, firewall, and lots more. Enjoy!
 

Preventing unauthorized SSH access using Denyhosts

Once when I was doing a regular tail -f /var/log/messages, I came across a number of messages like these.

sshd[29924]: PAM_NAM: User donk unknown to the authentication module
sshd[29924]: Failed password for invalid user donk from 'IP address here' port 63410 ssh2

My SSH was under continuous attack! . Hmm.., until I found DenyHosts..

DenyHosts is a cool little python script by Phil Schwartz, which will parse the logs and identify repeated authentication failures and add the IP address of the offenders to /etc/hosts.deny, thus preventing them to connect to the server in the first place.

Installation

As the program was not available in the official repositories for SLES 10 SP1, I had to do some manual configuration. The installation steps were detailed in the ‘Readme.txt' file within the package.

First, the python-devel package has to be installed. It is not installed by default

zypper install python-devel

Download the latest version of DenyHosts from http://denyhosts.sourceforge.net/

The version available at the time of my setup was 2.6. After uncompressing the sources

tar zxvf DenyHosts-2.6.tar.gz

cd DenyHosts-2.6

python setup.py install

The above step install the scripts and config files in /usr/share/denyhosts and in the site-packages of the python directory.

Configuration

Before proceeding the file denyhosts.cfg must be edited to suit the installation environment.The example config file is fully commented so it should be easy to follow. I had the following config

#/usr/share/denyhosts/denyhosts.cfg

SECURE_LOG = /var/log/messages
HOSTS_DENY = /etc/hosts.deny
LOCK_FILE = /var/run/denyhosts.pid

After this, I did the following step (as mentioned in the readme) to run denyhosts as a daemon during system start.

cd /usr/share/denyhosts

chmod 700 daemon-control

ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts

/etc/init.d/denyhosts start

tail -f /var/log/denyhosts # will contain messages related to the start

If it is working as intended, enable it to start automatically by doing

chkconfig denyhosts on

It had happend occassionally that some valid IP's are listed in /etc/hosts.deny. To prevent this, the genuine IPs from which users connect can be added to a file called ‘allowed-hosts' in /usr/share/denyhosts/data. There is no specific format. Just add the IPs to the file one below the other. Also, edit denyhosts.cfg to change the following variable and restart denyhosts.

ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES

That's it..

 

Testing mail servers with swaks

Article Source: http://www.cmdln.org
Date: April 16th 2009

 I hadn’t seen this tool before so I figured I would share. Swaks is the swiss army knife SMTP according to the homepage.

Full Entry

 

Perl : Creating a compiled daemon

One of the more exciting techniques I learned while working on my server project for the last year was how to create a daemon in Perl and then compile it.

Yes Perl can be compiled. I had no idea, but its a wonderful thing. Combine this with a fork statement, a while loop and your all set to have a daemon.
Read more... Comment (0)
 

Improving debians nginx init script

Article Source: http://www.cmdln.org
Date: April 27th 2009

nginx is a high performance HTTP and mail proxy server written by Igor Sysoev.

I’m not sure what the init scripts do for other distros but it seems a bit of an oversight to leave out checking the config file when running the init script

Full Entry

 

Project Review: eBox Platform

eBox Logo

The eBox Platform is a suite of software for managing networking and other features.  I stumbled onto eBox a few years ago and have since used it in many locations including my home network.  The project was and still is hosted in Spain by some very capable folks.  Community involvement and grants have supported some of the developers.

Read more... Comment (0)
 

Puppet, what was I doing?!?

Been busy today setting up puppet on a Xen virtual environment. 5 virtual machines in my lab managed by puppet.

Puppet is a system that enabled you to manage configuration files and information across multiple hosts.

I really dont know what I've been doing without it. Basicly you can setup your configuration profile and all machines current and future consume that configuration set.

Today I have been trying it with distributiong sudoers, ldap authentication, nfs configuration, firewall.. It's really usefull.

I definiently recomend this for anyone that wants a "standardized multinode environment".

 

tc - show / manipulate traffic control settings

Since I've spent the last year learning a lot of little things about Linux I thought I'd share some fun stuff for anyone who's interested.

This was a good one. There is a LOT more information then I could ever explain on the topic found at http://lartc.org

If you've ever wondered how to rate limit users on your network, this tutorial will save you a lot of research time. I've done most of the leg work for you and can say that this method has been tested and shown to work on medium sized networks with 1-50 users. The only downfall is that it will only rate limit the users download speed. I have not found a way to do upload speeds.

Read more... Comment (0)
 

Qwiki : Ping an IP Address in HEX

Did you know you can ping an IP Address in HEX?

Read more... Comment (0)
 

Deploying a Linux based vm from VMware template

Deploying a Linux based virtual machine from a VMware template can be a bit difficult when you don't know the ins and outs, the tiny tweaks. 

In this blog post I'll explain how you can get past the problems that might occur.

Read more... Comment (0)
 

SSH Tunnel between two machines

Here's another nice and short post about SSH and tunnels

Here's something I did in the past for working through DMZ machines, let me explain this scenario:
Immagine you've an UNIX machine inside a DMZ and you'd like to get some data from another host located inside the dmz green area, you've two options for it:

  1. Make a pinhole in the firewall (bad bad bad)
  2. Create a tunnel from the green area to the host inside the DMZ so the dmz machine can use that tunnel to remote forwarding ports from green machine

Obviously we'll discuss option number two :-)

Let's place an example for a quick and dirty explaination

Protected machine inside the dmz green area (protected) : lets' call it "green"
Machine inside dmz yellow area, used for web services from outside/inside: let's call it "yellow"
Service port to tunnel: 3306 from green to 6033 to yellow.
Yes, I'd like to transport MySQL (everything else works as well) from green to yellow so applications on yellow can normally open the database located on green.
Green also decides when and how to handle and keep the connection in order to preserve its data.

So, what's next ?
Let me assume you can ssh from green to yellow without passwords, you've already exported ssh rsa public/private keys from a machine to another (or maybe it could be a good argument for the next post :-) ), so all you have to do is open a tunnel in this way:

REMOTE_HOST=yellow
REMOTE_PORT=6033
LOCAL_HOST=green
LOCAL_PORT=3306

ssh -2 -f -q -T -N -R $REMOTE_PORT:$LOCAL_HOST:$LOCAL_PORT$REMOTE_HOST &

Issue this command on green machine and you'll have 6033 port opened on yellow, try to use mysql command line utility to open a database on green and see what happens.

Hope it helps someone, I've used it in the past to transport data from a db to another but you can even use for something else: JSON on HTTPD (80) and so on

 

**** UPDATE ****
See SSH Tunnel between two machines (part two) for an automatic script and use it easily
**** ****

 

Cheers

Andrea (Ben) Benini

 
Page 8 of 9

Upcoming Linux Foundation Courses

  1. LFD331 Developing Linux Device Drivers
    25 Aug » 29 Aug - Virtual
    Details
  2. LFD411 Embedded Linux Development
    25 Aug » 29 Aug - Santa Clara, CA
    Details
  3. LFS422 High Availability Linux Architecture
    08 Sep » 11 Sep - Raleigh, NC
    Details

View All Upcoming Courses


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board