SSH password-less authentication


SSH key authentication (No password):
SSH key authentication is most popular among Linux system administrators. SSH key authentication is recommended whenever remote servers are accessed more frequently. This provide confidentiality and integrity of data exchanged between client and server. SSH itself more secured, but if anyone use more than one security mechanism its considered as very secured. 
Traditional SSH method uses password authentication. This is considered as vulnerable because it can be compromised by man in the middle attack (attack on confidentiality). Man in the middle attack means, third person can act as claimed person and can sniff the connection.
SSH authentication is a combination of SSH and cryptography.
Advantages of SSH Cryptography
1. Confidentiality - Make sure that no third person is involved in the communication
2. Integrity - Ensures authorized modifications during transmission. 
3. Easy to implement.
Download As PDF
<<< More >>>
<<< More >>>
0 comments
Labels: , , , , , , ,

INSTALLING AND SECURING ASTERISK/ELASTIX (PBX) ON CENTOS

Installation of PBX server
To install Phone server, insert Elastix CD and follow the screen instructions.
Securing PBX/Asterisk server:
Basic Security measures:
1. Secure Extensions
The extension in Elastix is very vulnerable to attack. Enabling extensions with weak password would open the way for attackers to hack the phone system.
1.1 Strong secret password for extensions (either combination of numbers, letters, Ascii chars)
1.2 Use allow/deny field
Deny 0.0.0.0/0.0.0.0
Allow 192.168.0.0/255.255.255.0
This only allows extension to connect to local network. For example if local network is 10.1.1.0 use 10.1.1.0/255.255.255.0 in allow field
1.3 No NAT for extensions – don’t enable NAT for extensions
2. Block Anonymous SIP calls
Allowing anonymous calls is weakening the phone server. Anyone can make fake calls and scan phone system structure including extension. Blocking anonymous SIP calls is the best security practice for PBX.
Go to general settings and select NO to allow anonymous calls
3. Block SIP guests
Do not allow guest SIP account to register with PBX.
Open Unembedded freePBX and in tools section, click Asterisk settings. Select NO to Allow SIP guests.
4. Do not install any extra services on phone system unless need. (There would be more unwanted ports)
Advanced Security measures:

Download As PDF
<<< More >>>
<<< More >>>
3 comments
Labels: , , ,

How to Mount CIFS File system (SAMBA Shares) on remote Windows/Linux systems.


How to create network shares in Linux 
Samba shares can be mounted across both Linux and windows systems. Earlier samba was using NFS file share, which is Network File System, more vulnerable to attack. Recent days, samba uses CIFS (Common Internet File System) which is considered as more secure than NFS.
To mount share in windows
Just open run command and type share name, for e.x if the server name is 192.168.1.85 and shared folder name is 'Share'.
//192.168.1.85/Share
Mount shared folder in Linux
For temporary mount type, 
mount -t cifs //192.168.1.85/Share /localdirectory/tmp/ -o username=user, password=pass
This command mount the remote share locally in specified directory.
To mount permanently, type
edit /etc/auto.misc and add 
net -fstype=cifs,rw,username=user,password=pass ://192.168.1.85/Share
The permanent mount location would be /misc/net directory. (Note: net Folder inside misc need not to be present)
Finally Restart or Start Automount services as ,
/etc/init.d/autofs restart
To verify the mounted drives, Goto folder /misc/net and list the directories.
#ls -lh /misc/net

Download As PDF
0 comments

Secure FTP server in Linux


Setting up secure FTP server in Ubuntu 10.10
Initial requirements
If you already running any other FTP services in your network environment, decide which port you want to use with FTP.
Create users for accessing FTP services and change user directories accordingly in /etc/passwd file
Download and install
  1. sudo apt-get install vsftpd
  2. configure the vsftpd.conf to change the settings. Most of the default settings will work with vsftpd but few changes are mandatory.
  3. Edit /etc/vsftpd.conf using nano.
  4. By default passive mode is enabled on vsftpd.  If you want to disable passive mode just add pasv-enable=NO
  5. Also if you want to change the default port no add or change this line listen_port=21
  6. Try to jail FTP users within their directory
Troubleshooting vsFTP errors
  1. 1.       vsFTP Login authentication failed
Possible solutions:
1.1   In FTP, client use only FTP service rather than choosing SFTP or different one.
1.2   Select the password which is not more complex. Means if you include complex ASCII characters, FTP server won’t recognize.
1.3   Disable SSL on vsftp. Add this command to vsftpd.conf file ssl_enable=NO
1.4   Makes sure to disable anonymous authentication.
2.       Can’t access the directories. Listing the remote directories ‘/’ failed. Error numbers include 500, 533 or any series in 500.

2.1 change permissions on the directories with Recursive permissions.
E.x          chmod –R 777 folder_name_of_FTP_Access
2.2 set umask value in vsftpd.conf to 002. Umask_value=002
2.3 edit etc/passwd file to change directories for FTP users

Download As PDF
0 comments
Adding multiple sites to apache/hosting different sites on apache with DRUPAL
For each site you want to host in apache, you must have created separate folders for each site in /var/www directory. This is same like creating sites on IIS.
mkdir /var/www/www.example.com
mkdir /var/www/www.example.com/htdocs
mkdir /var/www/www.example.com/cgi-bin
mkdir /var/www/www.example.com/logs
Create individual configuration file for each site. User defined settings for apache will be configured in http.conf file.
Copy the drupal installation file to each individual site folder. Ex. Copy the drupal directory to /var/www1/ www.example.net/
This copying process make easy to install and configure the drupal for each site.
Edit the httpd.conf file as follows,

Download As PDF
<<< More >>>
<<< More >>>
0 comments

DriveMap using group policy


How to force drive map for all users under active directory?

Drive MAP is sharing network drive among all users in the network. In other words Drive MAP is the logical location of network shared drive locally.
In windows environment network sharing can be achieved in many ways. The following method would be the efficient and no action needed at user end.
To share a network drive under windows domain environment,
First create a small script with following line,

net use i: /delete
net use  i : \\ipaddress\sharename

Save script as drivemap.bat store under SYSVOL/domain/scripts/drivemap.bat
Second step is,
Open Group policy management from mmc, and create a new policy and link it with domain.
In group policy editor,
Open    
User Configuration
                                Windows settings  
                                                Scripts  
                Logon
Under logon, add the script and click O.K.

Download As PDF
0 comments
Labels: , , ,

Linux backup script


This is very simple backup script with rsync.
This script take backup from remote location and stores locally (Central backup management).
Once the backup finished script notify to the user with time, date and amount of data transferred.

#!/bin/bash
emailaddress='user@example.com'
#setup local directory to store the backups
DIRECTORY=/srv/backups/
#set current date
DATE=`date '+%m-%d-%y%n'`
mkdir $DIRECTORY/$DATE
rsync --exclude-from '/tmp/exclude.txt' -avz user@remotehost.com:/tmp/backups/  $DIRECTORY/$DATE/ > /$DIRECTORY/$DATE/rsync.log
#the above line should be in a single line
tail -3 $DIRECTORY/$DATE/rsync.log |mail -s "Source Code Backup for example.com on $DATE" $emailaddress;

This script takes backup of all files and directories in /tmp/backups/ in remotehost.com
What happen if you don't want to backup some files and directories.
--exclude-from option specifies the list of files and folders to be excluded from backup.
Exclude file list can be in local host (For best practices Exclude list must be in local). In this Script I have stored exclude.txt in /tmp folder.

Sample Exclude list
somefilename.jpg
/log*
/test/test1/ab*
Download As PDF
0 comments
Labels: , , , ,

Installing network file system  – command line installation


Network shares can be configured in two ways (One via SAMBA and through NFS) or in other words Linux network shares uses two different protocols to mount shares across network.
Samba uses SMB protocol to mount shares. NFS uses nfs protocol to mount network shares. 
This post describes How to creates network shares using SAMBA
(Link to How to create shares using NFS)
1. Install samba server from shell command
sudo apt-get install samba smbfs
for centos 
yum install samba
2. Edit the configuration file to adjust settings.
sudo nano /etc/samba/smb.conf
find the clobal configuration item in smb.conf file and should be starting with
#
[global]
#Security = USER
And add these lines under; these lines are creating share folders.  [homes] means, this is a share name home with description ‘Home directories’, and it’s not browseable, which means its hidden. Every user connected to this samba server can connect directly to his /home/directory

Download As PDF
<<< More >>>
<<< More >>>
0 comments
Labels: , , ,

How to restore Large MySQL databases on Linux

MySQL Database restore and Table restore.


There are many ways to restore a SQL database to MySQL. But most of the methods allow maximum of 200 MB file to be restored.
But when it comes to restore more than 2Gig file, it more frustration.
This method is simple, no other complex scripts.
Steps are
1. connect to the MySQL server via SSH
2. Login to MySQL server
mysql -u user -p password
3. At MySQL prompt type
use database_to_be_restored;
4. then type source followed by the path to the mysql restore file.
Ex.
use test_db;
source /tmp/test1_db.sql
4. It takes some time depends on size of the restore database. If the DB is about 2Gig size, restore process will run for 2 to 3 minutes.
There is an another use with this method.
If anyone want to restore some tables from backup database, this method is very handy.
Just copy the selected tables to new database and restore.
Or just override the existing one, it will only update new tables, everything else will be considered as duplicates and won't get update.


Note: I use this method to restore very large databases up to maximum size of 5Gig.
Download As PDF
0 comments
Labels: ,
Subscribe to: Posts (Atom)