sandip's blog

SSH Chroot in ISPConfig Centos-4.6

Below is reference of how I have setup chroot SSH jail for users in CentOS-4.6 with ISPConfig installed replacing the openssh rpm with the one from chrootssh.sourceforge.net .

It's easy on ISPConfig as support for chroot SSH is now built in with the control panel, you simply need to get chrootSSH installed and then enable the ssh option located in the config file at "/home/admispconfig/ispconfig/lib/config.inc.php":

$go_info["server"]["ssh_chroot"] = 1;

If you need for the ssh chroot to access additional application, the file "/root/ispconfig/scripts/shell/create_chroot_env.sh" which builds the chroot needs to be edited. Also, check and edit the location of mysql socket file.

Force ProFTPD to listen on only one IP

It's not quite as clean as the socket binding under Apache but the principle works something like this.

  1. In Standalone mode, to listen on the primary IP of a host use the SocketBindTight directive.

    In "/etc/proftpd.conf":

    SocketBindTight                 on
    
  2. To listen on a interfaces which are not the primary host interface, use the SocketBindTight directive, place your server configuration in a block and use "Port 0" for the main host configuration and and "Port 21" inside the VirtualHost block.

    Port                            0
    SocketBindTight                 on
    <VirtualHost xxx.xxx.xxx.xxx>
        &nbsp;   Port 21
        &nbsp;   DefaultRoot   &nbsp;    &nbsp;    ~
        &nbsp;   AllowOverwrite  &nbsp;    &nbsp;  on
        &nbsp;   Umask    &nbsp;    &nbsp;    &nbsp;    002
    </VirtualHost>

Install / Setup Nagios on Fedora 7

These are supplement notes I had taken down a while back doing an install of nagios and n2rrd on a Fedora-7 box and recently came very handy when doing the install in a redhat (RHEL-3) box as well:

Nagios Install:

# yum install nagios nagios-plugins nagios-plugins-http nagios-plugins-icmp nagios-plugins-ping

On RHEL3, I used (dags rpms) rpmforge. Here is my yum.conf for rpmforge:

[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
baseurl = http://apt.sw.be/redhat/el3/en/$basearch/dag

Notes: I settled for icmp instead of ping, as it is a lot faster. However, icmp required setting setuid for "/usr/lib/nagios/plugins/check_icmp" for it to work. Also, had to rebuild nagios-plugins from source as root in order for the plugin to be installed.

encode / decode base64 file

I use squrrelmail in text mode and recently I've had to retrieve a password at Dell. The reset password email however comes with html embeded in base64 encoded text. So my webmail did not show up the embeded html link. With some knowledge of uudecode, I was able to view the exact link to reset the password.

The sharutils package contains the GNU utilities uuencode and uudecode.

Here's a brief background and usage:

uuencode is a program that encodes binary files as plain ASCII text so that they can be sent through electronic mail. The program expands single characters that can't be viewed or printed as normal text into pairs of text characters, and the resulting encoded file is somewhat larger than the original binary file. This process is necessary to prevent mail, news, and terminal programs from misinterpreting the non-text characters in binary files as special instructions.

$ cat test.txt
hello world!

$ uuencode -m test.txt test.txt > test.txt.base64

$ cat test.txt.base64
begin-base64 644 test.txt
CmhlbGxvIHdvcmxkIQoKCg==
====

$ rm test.txt

$ uudecode test.txt.base64

$ cat test.txt
hello world!

First I copied over the actual base64 encoded text from my local email folder which looks similar to:

$ cat dell_reset
DQpUaGlzIGVtYWlsIHdhcyBzZW50IHRvIHlvdSBpbiByZXNwb25zZSB0byB5b3VyIHJlcXVl
... ...
bGluayBoYXMgYSBsaWZlIHNwYW4gb2YgdGhyZWUgZGF5cyBvbmx5LjxiciAvPg0KPGJyIC8+DQo=

I then added text in the beginning and end to specify the base64 encoded as below:

$ cat - dell_reset <<<"begin-base64 644 dell_reset.txt" > dell_reset.base64
$ echo "====" >> dell_reset.base64
$ cat dell_reset.base64
begin-base64 644 dell_reset.txt
DQpUaGlzIGVtYWlsIHdhcyBzZW50IHRvIHlvdSBpbiByZXNwb25zZSB0byB5b3VyIHJlcXVl
... ...
bGluayBoYXMgYSBsaWZlIHNwYW4gb2YgdGhyZWUgZGF5cyBvbmx5LjxiciAvPg0KPGJyIC8+DQo=
====

The text was then decoded using:

$ uudecode dell_reset.base64
$ cat dell_reset.txt
This email was sent to you in response to your request to modify your Dell.com account.<br />

Click the link below to go to the Dell site and modify your account:<br />
... ...

sendmail access.db by example

The sendmail access database file can be created to accept or reject mail from selected domains.

Since "/etc/mail/access" is a database, after creating the text file, use makemap to create the database map.

# makemap hash /etc/mail/access.db < /etc/mail/access

Below is what my access file currently looks like and can be used as a starting point. All internal addresses have been changed except for spammers!!

# by default we allow relaying from localhost...
localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY

# Allow Connect from local server IPs
Connect:207.44.206.144   OK

# Accept Mail
# accept mail from PayPal
paypal.com      OK

# Reject Mail
posterclub@e.allposters.com     REJECT
posterclub@email.allposters.com REJECT
plastmarket.com                 REJECT
jr@jrtr.org                     REJECT
7b2.606@fe01.atl2.webusenet.com REJECT
mysoldpad.com                   REJECT

# Discard Mail
1and1-private-registration.com  DISCARD
# forum admin mails:
fictionaluser@gmail.com         DISCARD

# Reject full mailbox
fictionaluser@linuxweblog.com ERROR:4.2.2:450 mailbox full
fictionaluser@linuxweblog.net REJECT

# Blacklist recipients
linuxweblog.net ERROR:550 That host does not accept mail

# Spam friend domains: exempt domains from dnsbl list checking
Spam:linuxweblog.org      FRIEND

# Spam friend users: exempt email users from dnsbl list checking
# example:
# Spam:user@domain.tld         FRIEND
# clients
Spam:fictionalclient@hotmail.com  FRIEND

# Auto REJECT via hourly cron added below

Easy Drupal maintenance and upgrades

Since Drupal has been coming out with rapid updates, mainly due to security fixes, it's quite cumbersome to have to keep it up to date. However, with the below setup and the script to help with the maintenance, it was a breeze with the last update. The script has been used to upgrade from 5.5 to 5.6 release.

Note: The script does not currently have any checks (extreme alpha stage) and my Drupal installation is not a standard install so usage may vary. Make sure you understand the script prior to running it. Usual disclaimer applies. You will also need root level access to shell to run the script as it is set to change ownership of files and folders using the "chown" command.

My current Drupal install are based on symbolic links for easy maintenance and upgrades. The layout is as below:

/var/www/html, /var/www/html/site_files, /var/www/html/sites are all symbolically linked to the /var/www/drupal-5.x, /var/www/drupal_files, /var/www/drupal_sites respectively where /var/www/html is the web root.

Document Root = /var/www/html            -> /var/www/drupal-5.x
Files Folder  = /var/www/html/site_files -> /var/www/drupal_files
Sites Folder  = /var/www/html/sites      -> /var/www/drupal_sites

Also, any customization to the .htaccess is on top of the default Drupal code. So the script will automatically prepend the data to the upgraded .htaccess file. Since, I also have the gallery module, the .htaccess file is also set to be writable by apache.

Don't forget to set your site in "maintenance mode" with the default theme, and disable all modules prior to the upgrade. Although, I've done some updates with all modules available without any issues. Also, my custom theme resides in the sites folder and stays untouched with the update.

Place the script in "/var/www" (just outside your document root) and run the update via:

# sh ./update_drupal.sh 5.x

Once completed, run update.php to update any changes to the database. Set site back to production mode, re-applying any customization as necessary.

Debian / Ubuntu command notes for packages and service maintenance ...

APT-GET

  • Clean up non-existent data
    # apt-get autoclean
  • Update list
    # apt-get update
  • Install/update a package
    # apt-get install <pkg>
  • review dist-upgrade prior:
    # apt-get -Vsu -o Debug::pkgProblemResolver=yes dist-upgrade
  • Apply updates
    # apt-get -Vu upgrade
  • Upgrade all dependencies
    # apt-get -Vu dist-upgrade
  • Search cache
    # apt-cache search <pkg>
  • Remove and purge packages
    # apt-get --purge remove <pkg>

DPKG

  • Install/Update package
    # dpkg -i <pgk>
  • Check listing of installed packages
    # dpkg -l *<pkg>*
  • file belongs to
    # dpkg --search /path/to/file
  • List of file in package
    #dpkg -L <pkg>
  • Info about package
    # dpkg -s <pkg>

SERVICES

  • Manage services at init levels.
    # sysv-rc-conf
    # update-rc.d

Trac and SVN install / configuration notes...

The below notes is specifically for centos-4.6 :

Installation:

# rpm -ivh  http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el4.rf.i386.rpm
# yum install httpd subversion mod_python mod_dav_svn
# yum --enablerepo=rpmforge install trac

Instantiating svn:

# mkdir /var/www/svn
# svnadmin create /var/www/svn/project

Initial svn import:

# mkdir -p /tmp/newsvn/{trunk,tags,branches}
# svn import /tmp/newsvn file:///var/www/svn/project -m "Initial import"
# chown -R apache /var/www/svn/project
# chmod -R go-rwx /var/www/svn/project

Instantiating trac:

# mkdir /var/www/trac
# trac-admin /var/www/trac/project initenv
# mkdir /var/www/{.python-eggs,passwd}
# htpasswd -c /var/www/passwd/.htpasswd <adminuser>
# touch /var/www/passwd/svnauthz
# chgrp -R apache /var/www/trac/project
# chown -R apache /var/www/trac/project/{attachments,db,log,plugins}
# chown -R apache /var/www/{.python-eggs,passwd}
# chmod -R o-rwx /var/www/{trac/project,.python-eggs,passwd}
# chmod g+w /var/www/trac/project/conf/trac.ini

Install trac plugins:

# wget http://peak.telecommunity.com/dist/ez_setup.py
# python ez_setup.py
# easy_install http://svn.edgewall.com/repos/trac/sandbox/webadmin/
# easy_install http://trac-hacks.org/svn/accountmanagerplugin/0.10
# easy_install http://trac-hacks.org/svn/svnauthzadminplugin/0.10

trac.ini conf setup:

[trac]
default_charset=UTF-8
authz_file = /var/www/passwd/svnauthz

[components]
acct_mgr.admin.accountmanageradminpage = enabled
acct_mgr.api.accountmanager = enabled
acct_mgr.htfile.htpasswdstore = enabled
acct_mgr.web_ui.accountmodule = enabled
acct_mgr.web_ui.loginmodule = enabled
trac.web.auth.loginmodule = disabled
webadmin.* = enabled
svnauthz.* = enabled

[account-manager]
password_file = /var/www/passwd/.htpasswd
password_store = HtPasswdStore

Apache trac conf setup:

Alias /trac /var/www/trac
<Location /trac>
    &nbsp;   SetHandler mod_python
    &nbsp;   PythonInterpreter main_interpreter
    &nbsp;   PythonHandler trac.web.modpython_frontend />    &nbsp;   PythonOption TracEnvParentDir /var/www/trac
    &nbsp;   PythonOption TracUriRoot /trac
    &nbsp;   SetEnv PYTHON_EGG_CACHE /var/www/.python-eggs
</Location>
#<Location /trac/*/login>
#    &nbsp;   AuthType Basic
#    &nbsp;   AuthName 'Trac Server'
#    &nbsp;   AuthUserFile /var/www/passwd/.htpasswd
#    &nbsp;   Require valid-user
#</Location>

Apache subversion conf setup:

<Location /svn>
   DAV svn
   SVNParentPath /var/www/svn

   # Limit write permission to list of valid users.
   # <LimitExcept GET PROPFIND OPTIONS REPORT>
    &nbsp; # Require SSL connection for password protection.
    &nbsp; # SSLRequireSSL

    &nbsp; AuthType Basic
    &nbsp; AuthName 'Authorization Realm'
    &nbsp; # Trac .htpasswd file used so users will be the same for both
    &nbsp; AuthUserFile /var/www/passwd/.htpasswd
    &nbsp; Require valid-user
    &nbsp; AuthzSVNAccessFile /var/www/passwd/svnauthz
   #</LimitExcept>
</Location>

Trac privileges:

# trac-admin /var/www/trac/project permission add admins TRAC_ADMIN
# trac-admin /var/www/trac/project permission add <adminuser> admins
# trac-admin /var/www/trac/projectname permission remove anonymous TICKET_CREATE TICKET_MODIFY etc...
# track-admin /var/www/trac/project permission add devs BROWSER_VIEW CHANGESET_VIEW FILE_VIEW LOG_VIEW   &nbsp;    \
    &nbsp;    &nbsp;    MILESTONE_CREATE MILESTONE_VIEW REPORT_CREATE REPORT_MODIFY REPORT_SQL_VIEW REPORT_VIEW  \  
    &nbsp;    &nbsp;    ROADMAP_VIEW SEARCH_VIEW TICKET_APPEND TICKET_CHGPROP TICKET_CREATE TICKET_MODIFY \
    &nbsp;    &nbsp;    TICKET_VIEW TIMELINE_VIEW WIKI_CREATE WIKI_MODIFY WIKI_VIEW

Login as the admin user and setup Trac plugins, permissions etc...

Keep server time in sync with ntp

NTP is a protocol designed to synchronize the clocks of computers over a network, easy to setup and probably comes packaged with the OS.

Here's what was needed on a Fedora-6:

  1. Install the ntp rpm if not already installed.
    # yum install ntp
  2. Open up UDP port 123, both incoming and outgoing on the firewall.
  3. Find a reliable close ntp pool server or you could just use the hub, "pool.ntp.org" and add it to the server list in "/etc/ntp.conf" file.
  4. Make sure your computer's clock is set to something sensible (within a few minutes of the 'true' time) - you could use `ntpdate pool.ntp.org`, or you could just use the date command and set it to your wristwatch, and also synchronize the hardware clock.
  5. Make sure ntp starts up at boot and then start the service:
    # /sbin/chkconfig ntpd on
    # /sbin/service ntpd start
  6. Ater some time if you want to see exactly what is happening, you can run the query command:
    # ntpq -pn localhost

Anatomy of Linux Kernel

Immensely useful article for learning about Linux kernel at IBM DeveloperWorks.

Comment