May 20, 2009

Shorewall Firewall Configuration for a Single Host

If your goal is to firewall a single computer connected to the net, then these are the shorewall configurations to get the job done. We'll be using Webmin to configure our settings. Let's get to it!

Log into webmin, go into manual configuration (for each category listed below), and copy and paste these settings.

#Network Zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4

#Network Interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect

#Default Policies
#SOURCE ZONE DESTINATION ZONE POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT
net all DROP info
all all REJECT info

#Firewall Rules
#ACTION SOURCE DESTINATION PROTOCOL SOURCE PORTS
#DESTINATION PORTS
#The following line will enable FTP port 21 to work with PASV connections #connecting to port 30000 through 30100
ACCEPT:ULOG net fw tcp 21,30000:30100
#The following line will enable a VMware server machine to connect to our
#Vmware image via port 20000
ACCEPT:ULOG net:IPofVMwareHostgoeshere fw tcp 20000

#Blacklist Hosts
#Add IP addresses in this format
XXX.XXX.XXX.XXX/XX

Lastly, restart shorewall

If you'd like to block an entire country's IP addresses, the best place to go is www.blockacountry.com This site will list a country's IP address block assignments. They made it super easy for us to block an entire country! Throw some support, aka donations, if you do decide to use it.
.
Posted by at 2:33 PM 0 comments
Labels: , , ,

May 18, 2009

How to: Vsftpd Virtual Users PAM Authentication Guide

This How to, will help you get your Vsftpd server up and running with Virtual Users (no local users), PAM authentication, and encrypted passwords.

For a more in depth explanation, and why we did what we did, here are the guides used as reference:
http://ubuntuforums.org/showthread.php?t=518293

Overview of what we're about to create:
  1. Create user account, create directory for user account, and assign permissions to the user account
  2. Create a directory for Virtual User accounts' VSFTPD permissions. Each user account's permissions can be customized in this folder (we will do this later on in step 7)
  3. Backup Vsftpd.conf and edit Vstfpd.conf to enable local users, PAM service, enable guest, and define where our Virtual User account permissions are located
  4. Edit pam.d vsftpd file
  5. Create login text file
  6. Create login database for PAM to read and encrypt it
  7. Create a template settings file for Virtual User account permissions in step 2
  8. Use the template to create our user's permissions
  9. Edit our user's permission to define home and guest username
  10. Restart Vsftpd
  11. Put on our sunglasses and relax under the sun
The Guide:

1. The following will create a user with the name "genesis" and a home directory named "genesis"

# Must use -d option

sudo useradd -d /home/genesis genesis

sudo mkdir /home/genesis

sudo chown genesis /home/genesis



2. Create a directory for Virtual User accounts' VSFTPD permissions. You may already have the folder /etc/vsftpd

sudo mkdir /etc/vsftpd

sudo mkdir /etc/vsftpd/vusers



3. Backup Vsftpd.conf now. Edit your Vstfpd.conf and ensure these comments are either added or changed in addition to whatever you have in your current Vsftpd.conf. (you can use this sample vsftpd.conf as a guide) Virtual users are treated as guests, so we will enable guest access. We are also defining where our Virtual User account permissions are located.

sudo nano /etc/vsftpd.conf

anonymous_enable=NO

local_enable=YES

pam_service_name=vsftpd

guest_enable=YES

user_config_dir=/etc/vsftpd/vusers



4. Edit pam.d vsftpd file

sudo nano /etc/pam.d/vsftpd


Edit and ensure your /etc/pam.d/vsftpd file matches this one

# Standard behaviour for ftpd(8).

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

# Note: vsftpd handles anonymous logins on its own. Do not enable

# pam_ftp.so.

# Standard blurb.

#@include common-account

@include common-session

#@include common-auth

#auth required pam_shells.so

# Added per the readme to enable virtual users.

auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login

account required /lib/security/pam_userdb.so db=/etc/vsftpd_login


5. Create a login.txt file wherever you want

sudo nano login.txt


We will specify users and passwords here. You can add as many users/passwords as you want here in the following format:

genesis

genesispasswordgoeshere

someotheruser

someotheruserpasswordgoeshere



6. You must have libdb3 and libdb3-util installed. db4, which you may already have, will not work. Personally, I use Webmin, and I had to install these directly from the packages.ubuntu.com site.

We will create the login database with our login.txt file and restrict access restrictions to the database. Future users will be added through this process, so to add more users, you either will recreate login.txt or edit it:

sudo db3_load -T -t hash -f login.txt /etc/vsftpd/vsftpd_login.db

sudo chmod 600 /etc/vsftpd/vsftpd_login.db

#The following is not a safe solution

#because if the file is compromised, all

#of your user/passwords will be compromised,

#but on the other hand, it will be easier

#to update future users you wish to add to

#your server. You should delete this with

#"sudo rm login.txt" without quotes

sudo chmod 600 /etc/vsftpd/login.txt



7. We will create a template for our user permissions located in /etc/vsftpd/vusers

sudo nano /etc/vsftpd/vusers/template1forusers


write_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

anon_upload_enable=YES

local_root=/home/???

chroot_local_user=YES

dirlist_enable=YES

download_enable=YES

guest_username=???



8. Write out to template1forusers

9. Now open template1forusers once again and change the ??? marks in step 7 to define user "genesis"

sudo nano /etc/vsftpd/vusers/template1forusers


Edit:

write_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

anon_upload_enable=YES

local_root=/home/genesis

chroot_local_user=YES

dirlist_enable=YES

download_enable=YES

guest_username=genesis


10. Instead of saving it to template1forusers, Write out the filename to genesis.

11. Restart Vsftpd. sudo /etc/init.d/vsftpd restart

12. Try logging in with
user name: genesis
password: genesispasswordgoeshere

Give yourself a pat on the back. Great job!
.
Posted by at 1:25 PM 1 comments
Labels: , ,

May 17, 2009

Ubuntu Logon Screen: Security Warning Message

Use this message as a warning on your computers, servers, etc.


"This computer system is the private property of Company Name Goes Here, whether individual, corporate, or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.


Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign.

By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning."

.

Posted by at 5:13 PM 1 comments
Labels: , , ,

May 16, 2009

How to: Creating a Certificate and Key for Vsftpd FTPS

In this post, we will create a Vsftpd SSL Certificate and Key using 1024 bit encryption to turn our Vsftps FTP server into a Vsftpd FTPS server.

The advantages of creating our own certificate are: we can define our company name, organization, location, and technical support contact information. This means when new users connect to our server, they will see our custom SSL Certificate with our company name and information, which will make our FTP look more formal/professional.

Overview of what we're about to do:
  1. Backup vsftpd.conf
  2. Edit our vsftpd.conf file and comment out the current certificate and key
  3. Insert the new location of our certificate and key
  4. Create our new certificate and key files
  5. Restart Vsftpd
  6. Put on our sunglasses and relax under the sun
The Guide:

1. Backup our vsftpd.conf file
sudo cp /etc/vsftpd.conf /etc/vsftpd.090522
2. Edit vsftpd.conf
sudo nano /etc/vsftpd.conf
3. Ensure that snakeoil rsa_cert_file and rsa_private_key_file are commented out. Insert the location of the new certicate and key.
#rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.key
4. This will create a key that will expire after 365 days in which we will have to create a new key.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 \-keyout /etc/vsftpd/vsftpd.key \-out /etc/vsftpd/vsftpd.pem
5. Restart Vsftpd
sudo /etc/init.d/vsftpd restart
Test using your favorite FTPS enabled client

Good job, buddy!
.
Posted by at 12:12 PM 2 comments

May 15, 2009

Sample Vsftpd Configuration File

For those trying to create a Vsftpd FTP Server, just for reference, here's my Vsftpd configuration file configured for:
  1. PAM authentication for Virtual Users
  2. FTPS SSL
  3. No anonymous users
  4. Ports 30000-30100 for firewall access when using Passive connection
  5. Chrooted users

#Sample Vsftpd Config:
write_enable=YES
guest_enable=YES
user_config_dir=/etc/vsftpd/vusers
listen=YES
listen_port=990

local_umask=022

anon_umask=022
anonymous_enable=NO
local_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
idle_session_timeout=600
data_connection_timeout=120
ftpd_banner=**********Something goes here.************
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
pasv_min_port=30000
pasv_max_port=30100
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.key
hide_ids=YES
max_per_ip=2
max_clients=15

.
Posted by at 3:25 PM 0 comments
Labels: , , , , , ,

May 14, 2009

Vsftpd FTPS and FireFTP don't mix

When I was using FireFTP on a FTPS enabled Vsftpd server, my login was okay, but the connection was stuck at Directory Listing. Downloading files and uploading files were okay, just the directory listing was extrutiatingly slow for me--it took up to 2 minutes to load the directory listing. I tested using Filezilla, and it worked superbly, so I'll just post this out there in case others are running into the same problem.
.
Posted by at 11:56 AM 4 comments
Labels: , , , , ,

May 13, 2009

How to: Webmin Installation Guide


This post is an excerpt from the guide posted on Ubuntugeek.com

Install the following packages:

sudo aptitude install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl


Now download the latest webmin using the following command or from here:
http://www.webmin.com/download.html

wget http://garr.dl.sourceforge.net/sourceforge/webadmin/webmin_1.4XX_all.deb


Now we have webmin_1.4XX_all.deb package install this package using the following command

sudo dpkg -i webmin_1.4XX_all.deb


This will complete the installation.

Ubuntu in particular don’t allow logins by the root user by default. However, the user created at system installation time can use sudo to switch to root. Webmin will allow any user who has this sudo capability to login with full root privileges.

Now you need to open your web browser and enter the following

https://your-server-ip:10000/

If you cannot connect, make sure to add port 10000 to your firewall.
Posted by at 10:28 AM 0 comments
Labels: ,

May 10, 2009

How to: Not display last user name on Windows Logon Screen

Instructions:
  1. Go to Run and type in Regedit
  2. Go to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
  3. Key dontdisplaylastusername
  4. Change value to 1
  5. Restart the computer
Posted by at 2:27 PM 0 comments
Labels: , ,

May 8, 2009

1and1 Email Exchange Server Goes Down 5/8/2009 - POP, SMTP, Webmail Offline

UPDATE: MAIL SERVERS ARE BACK UP AS OF FRIDAY, MAY 8TH, 2009 11:00AM PST

1and1 Internet's email exchange servers are down as of Friday, May 8th, 2009 morning. We tried calling their technical support line, but their phone lines jammed up with other callers trying to call in for information. As a customer, it's frustrating not having updated information on the status of their service. Hey 1and1, how about using your own blog service to create a blog to update customers? Anyway, 1and1 provided good service for us in the past, so hopefully this doesn't happen again any time soon in the future.
.
Posted by at 9:35 AM 2 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)