SSHd: Config varias

En el archivo: /etc/ssh/sshd_config
Primero: cambiamos el puerto por seguridad:

Port xxxx
Listen xxx.xxx.xxx.xxx
TCPKeepAlive yes
UseDNS no
ClientAliveInterval 30
ClientAliveCountMax 100

y en /etc/ssh/ssh_config
Añadir:
ServerAliveInterval 60

 

 

Pure-FTPd: PassivePortRang para controlar los puertos utilizados por el demonio y firewalling

Es simple: no quiero que el demonio de FTP haga random en un puerto cualquiera para las conexiones pasivas (osea, las normales de cualquier cliente ftp)

nano /etc/pure-ftpd.conf

# Port range for passive connections replies. – for firewalling.

PassivePortRange 30000 35000

Extracto de Readme de CSF (ConfigServer Security & Firewall (csf))

13. A note about FTP Connection Issues
######################################

It is important when using an SPI firewall to ensure FTP client applications
are configured to use Passive (PASV) mode connections to the server.

On servers running Monolithic kernels (e.g. VPS Virtuozzo/OpenVZ and custom
built kernels) ip_conntrack and ip_conntrack_ftp iptables kernel modules may
not be available or fully functional. If this happens, FTP passive mode (PASV)
won't work. In such circumstances you will have to open a hole in your firewall
and configure the FTP server to use that same hole.

For example, with pure-ftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/pure-ftpd.conf and then restart pure-ftpd:
PassivePortRange	30000 35000

For example, with proftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/proftpd.conf and then restart proftpd:
PassivePorts	30000 35000

FTP over SSL/TLS will usually fail when using an SPI firewall. This is because
of the way the FTP protocol established a connection between client and server.
iptables fails to establish a related connection when using FTP over SSL
because the FTP control connection is encrypted and so cannot track the
relationship between the connection and the allocation of an ephemeral port.

If you need to use FTP over SSL, you will have to open up a passive port block
in both csf and your FTP server configuration (see above).

Perversely, this makes your firewall less secure, while trying to make FTP
connections more secure.

Ahora, desde el CSF, habilitamos el rango de puertos:
/etc/csf/csf.conf
TCP_IN = «22,21,20,30000:35000»

Solo es necesario en el IN … porque el OUT, el servidor usa el 21 y el 20.

Joya, con esto aseguramos el FTPd.

Amaro.

Evitar cambios en el fichero resolv.conf

A veces el archivo resolv.conf, es modificado al momento de tomar DHCP por una interface, para evitar que pase, siempre como root:

Simple, pero efectivo:
chattr +i /etc/resolv.conf

Si posteriormente necesitamos añadir o modificar alguno de los valores, podremos desbloquearlo simplemente con :
chattr -i /etc/resolv.conf

Saludos,

AmaRo

PPTPd Mikrotik Examples – Remote Access y Site-to-Site

Application Examples

Connecting Remote Client

The following example shows how to connect a computer to a remote office network over PPTP encrypted tunnel giving that computer an IP address from the same network as the remote office has (without need of bridging over EoIP tunnels)

Consider following setup

Pptp-rem-offoce.png

Office router is connected to internet through ether1. Workstations are connected to ether2. Laptop is connected to the internet and can reach Office router’s public IP (in our example it is 192.168.80.1).
First step is to create a user

[admin@RemoteOffice] /ppp secret> add name=Laptop service=pptp password=123
local-address=10.1.101.1 remote-address=10.1.101.100
[admin@RemoteOffice] /ppp secret> print detail
Flags: X - disabled
  0   name="Laptop" service=pptp caller-id="" password="123" profile=default
      local-address=10.1.101.1 remote-address=10.1.101.100 routes==""

[admin@RemoteOffice] /ppp secret>

Notice that pptp local address is the same as routers address on local interface and remote address is form the same range as local network (10.1.101.0/24).

Next step is to enable pptp server and pptp client on the laptop.

[admin@RemoteOffice] /interface pptp-server server> set enabled=yes
[admin@RemoteOffice] /interface pptp-server server> print
            enabled: yes
            max-mtu: 1460
            max-mru: 1460
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: default
[admin@RemoteOffice] /interface pptp-server server>

PPTP client from the laptop should connect to routers public IP which in our example is 192.168.80.1.
Please, consult the respective manual on how to set up a PPTP client with the software You are using.

At this point (when pptp client is successfully connected) if you will try to ping any workstation form the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up proxy-arp on local interface

[admin@RemoteOffice] /interface ethernet> set Office arp=proxy-arp
[admin@RemoteOffice] /interface ethernet> print
Flags: X - disabled, R - running
  #    NAME                 MTU   MAC-ADDRESS         ARP
  0  R ether1              1500  00:30:4F:0B:7B:C1 enabled
  1  R ether2              1500  00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>

After proxy-arp is enabled client can successfully reach all workstations in local network behind the router.

 

Site-to-Site PPTP

The following is an example of connecting two Intranets using PPTP tunnel over the Internet.

Consider following setup

Site-to-site-pptp-example.png

Office and Home routers are connected to internet through ether1, workstations and laptops are connected to ether2. Both local networks are routed through pptp client, thus they are not in the same broadcast domain. If both networks should be in the same broadcast domain then you need to use BCP and bridge pptp tunnel with local interface.

First step is to create a user

[admin@RemoteOffice] /ppp secret> add name=Home service=pptp password=123
local-address=172.16.1.1 remote-address=172.16.1.2 routes="10.1.202.0/24 172.16.1.2 1"
[admin@RemoteOffice] /ppp secret> print detail
Flags: X - disabled
  0   name="Home" service=pptp caller-id="" password="123" profile=default
      local-address=172.16.1.1 remote-address=172.16.1.2 routes=="10.1.202.0/24 172.16.1.2 1"

[admin@RemoteOffice] /ppp secret>

Notice that we set up pptp to add route whenever client connects. If this option is not set, then you will need static routing configuration on the server to route traffic between sites through pptp tunnel.

Next step is to enable pptp server on the office router and configure pptp client on the Home router.

[admin@RemoteOffice] /interface pptp-server server> set enabled=yes
[admin@RemoteOffice] /interface pptp-server server> print
            enabled: yes
            max-mtu: 1460
            max-mru: 1460
               mrru: disabled
     authentication: mschap2
  keepalive-timeout: 30
    default-profile: default
[admin@RemoteOffice] /interface pptp-server server>
[admin@Home] /interface pptp-client> add user=Home password=123 connect-to=192.168.80.1 disabled=no
[admin@Home] /interface pptp-client> print
Flags: X - disabled, R - running
 0    name="pptp-out1" max-mtu=1460 max-mru=1460 mrru=disabled connect-to=192.168.80.1 user="Home" 
       password="123" profile=default-encryption add-default-route=no dial-on-demand=no 
       allow=pap,chap,mschap1,mschap2
[admin@Home] /interface pptp-client>

Now we need to add route to reach local network behind Home router

[admin@RemoteOffice] /ip route> add dst-address=10.1.101.0/24 gateway=pptp-out1

Now after tunnel is established and routes are set, you should be able to ping remote network.

Fuente: http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP

Saludos- AmaRo

Forzar la actualización de DDClient

Para forzar la actualizacion de un DynDNS en Linux;
despues de modificar el ddclient.conf:

TUSERVER:~# cat /etc/ddclient.conf
# Configuration file for ddclient
pid=/var/run/ddclient.pid
protocol=dyndns2
use=if, if=eth0
#use=if, if=ppp0
server=members.dyndns.org
login=TUUSER
password=TUPASSWORD
TUHOST.homelinux.com

Luego ejecutar: ddclient -force

Saludos.

AmaRo

Exim: Comandos que se necesitan saber.

Exim es un agente de transporte de correo (Mail Transport Agent, MTA) que puede ser utilizado en la mayoría de sistemas Unix, siendo una de las opciones más comunes, junto con Qmail o Postfix para servicio de correo servidores Unix.

Partiendo de la base de que conocemos el funcionamiento de Exim, los comandos básicos que un administrador de sistemas que utilice este MTA son:

Lista por pantalla los correos en cola:

exim -bp

Sacar por pantalla el nº de correos en cola:

exim -bpc

Muestra un resumen de los correos en cola (dominio, nº de correos, tiempo en cola y peso):

exim -bp | exiqsumm

Eliminar un correo en concreto:

exim -Mrm '<id correo>'

Congelar un correo:

exim -Mf '<id correo>'

Procesar un correo:

exim -M '<id correo>'

Eliminar todos los correos congelados:

exiqgrep -z -i | xargs exim -Mrm

Sacar por pantalla que está haciendo exim en este momento:

exiwhat

Hacer un traceroute a una dirección de correo:

exim -bt '<id correo>'

Ver las cabeceras de un correo:

exim -Mvh '<id correo>'

Ver el cuerpo de un correo:

exim -Mvb '<id correo>'

Ver los logs de un correo:

exim -Mvl '<id correo>'

Forzar cola de correo:

exim -qff

Buscar correos en cola de un determinado emisor:

exiqgrep -f [usuario]@dominio

Buscar correos en cola de un determinado receptor:

exiqgrep -r [usuario]@dominio

Respecto a estos dos últimos comandos, exigrep es un comando extremadamente útil, dispone de muchas otras opciones que pueden ser revisadas en su respectiva ayuda.

Eliminar la cola de correo completa (dos formas):

exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | sh
rm /var/spool/exim/input/*

Conociendo estos comandos (o teniendolos a mano) uno ya puede moverse con soltura en exim.

 

Fuente: http://rm-rf.es/exim-comandos-basicos/

WHM + Nginx Plugin: Una solución para agilizar y asegurar HTTPd

El servidor HTTPd Nginx, funciona de maravilla gracias a su inteligencia en agilidad, seguridad y sencillez

Loa pasos a seguir para hacer funcionar éste demonio con Cpanel WHM instalado en nuestro sistema…

#Instalación
cd /usr/local/src
wget http://nginxcp.com/latest/nginxadmin.tar
tar xf nginxadmin.tar
cd publicnginx
#Desde aqui, comandos personalizados por mi.
#Reemplazamos el paquete PyYAML, cambiandole el nombre, para que tome la #version 3.09
 ./pythonfix
cd /usr/lib/python2.4/site-packages
mv PyYAML-3.10-py2.4-linux-i686.egg PyYAML-3.10-py2.4-linux-i686.egg_
cd /usr/local/src
cd publicnginx
./nginxinstaller install 

#Desintalar
cd /usr/local/src
wget http://nginxcp.com/latest/nginxadmin.tar
tar xf nginxadmin.tar
cd publicnginx
./nginxinstaller uninstall

Seguridad: How to manage a DDOS or DOS attempt directed at your linux server

Ésta es una guía que no quisiera perder por ningún motivo.
 Fuente/Source: http://www.liquidcomm.net/news/tech-tips/apache/How-to-manage-a-DDOS-or-DOS-attempt-directed-at-your-linux-server.html

Stopping a DDOS (distributed denial of service attack) or DOS (denial of service attack) is no simple task.  Frequently, these attacks become more than just a nuisance, they completely immobilize your server’s services and keep your users from using your website.

We’ve found a few common sense ways to help ease the pain of DDOS and/or DOS attacks.  While no method is fool proof, we certainly can minimize the profound effect these attacks have on your users and subsystems.

Identify the Source

Good luck with that one.  Many DDOS and DOS attacks are from roaming IP addresses.  A distributed denial of service attack can come from many different IP addresses and it quickly becomes impossible for the Linux system administrator to isolate and confine each IP with a firewall rule.

Wikipedia does a great job of describing the various types of attacks here: http://en.wikipedia.org/wiki/Denial-of-service_attack.  For the purpose of this tutorial, I’ll leave the research on the types of attacks up to you, and address the most common form that we’ve encountered over the years, the Apache directed DDOS or DOS attack.

Apache Based Attacks

Symptoms of the Apache DDOS or DOS attack:

  • Website(s) serve slow
  • You notice hanging processes
  • Apache Top tells you that the same IP address is requesting a system resource
  • The system resource continues to multiplex, causing more processes to spawn
  • The Command:
    • netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
  • Says that you have a few too many connections to feel comfortable with.

The end result:

  • Apache goes down
  • System load goes sky high
  • Server stops responding
  • You cant ssh to the server node
  • You’ve lost connectivity completely and a reboot is mandatory in order to restore access to the system

Preventative Measures and Counter Measures:

  • Enable SYN COOKIES at the kernel level
    • echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  • Enable and Configure iptables to prevent the attack or at least work to identify the attack
    • /sbin/iptables -N syn-flood
    • /sbin/iptables -A syn-flood -m limit –limit 100/second –limit-burst 150 -j RETURN
    • /sbin/iptables -A syn-flood -j LOG –log-prefix «SYN flood: «
    • /sbin/iptables -A syn-flood -j DROP
  • Install the APF firewall to work to identify risky behavior
    • APF stands for Advanced Policy Firewall.  Its a rock solid firewall that normally plays nice with iptables.  You can grab a the most recent copy here: http://www.rfxn.com/projects/
  • Install (D)DosDeflate
    • Great software, rock solid, and plays nice with either APF or iptables.  Install and configure the service in seconds using the commands below.  Edit the .conf file to utilize whichever flavor of firewall you’d like to integrate it with.  Set a few configuration settings and you’re done.
    • To Install (D)DosDeflate:
      • wget http://www.inetbase.com/scripts/ddos/install.sh
      • chmod 0700 install.sh
      • ./install.sh
    • If it doesnt workout, its simple to uninstall too.  To uninstall:
      • wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
      • chmod 0700 uninstall.ddos
      • ./uninstall.ddos

So a few tools are outlined above.  We’ve found that this will stop 90% of the attacks that are out there.  Some nice firewall rules above your server (at the router or switch level) also help.  Most of the time we can identify suspicious traffic before it even hits your servers, so a shameless plug here is probably in order.

I know, shameless.

Contact Us if you’d like to colocate your server with us, or if there is something more that we can help you with.

We enjoy the opportunity to discuss your challenges, it helps make all of us better.