As soon as a host connects to SMTP port running a sendmail MTA, sendmail can also be configured to check and block IP addresses of incoming emails that are found to be listed on one or more DNS blacklists. This is possible by configuring sendmail directive dnsbl or DNS blacklists. During the SMTP handshake and conversation of host’s IP address to sendmail SMTP port, sendmail can check the connecting hosts for possible black listed IP address from DNS blacklists, lowering down the percentage of incoming SPAM emails.
Basically, here are the steps on how this sendmail dnsbl blacklisting works as an added builtin antispam sendmail directive feature.
1. A computer host attempts to establish SMTP connections to sendmail. All connecting SMTP host brings with them originating IP address.
2. Sendmail examines SMTP conversation and determines the connecting IP address at the other end of the connection.
3. Sendmail then rearrange the IP address in a format recognizeable by DNS blacklist and submit it to DNS explicitly specified blacklists servers.
4. If the submitted query resolves from the DNS blacklist check, then the sender’s IP address is most likely to be a spammer.
HowTo Configure Sendmail for DNS-based Blacklisting
Here’s a quick entry on how to configure sendmail to check the incoming IP address of connecting host during the SMTP conversation.
Minimum Requirements
a. Linux OS
b. Existing Sendmail setup
c. Existing DNS setup
d. Internet connection
Steps on how to configure sendmail to check with DNS Blacklists
Step One
Choose which DNS blacklists are active with a high history of reliability for blacklisting IP address. As an example here, we would be using three DNS blacklists servers.
zen.spamhaus.org
list.dsbl.org
combined.njabl.org
You can use your choice of DNS blacklists server sources to suit your needs.
Step Two
Configure sendmail to use dnsbl sendmail directive. Backup and modify /etc/mail/sendmail.mc and insert the below details:
FEATURE(`dnsbl', `zen.spamhaus.org', `"550 Refused unsolicited email from " $`'&{client_addr} " - Request access at http://www.spamhaus.org/query/bl?ip=" $`'&{client_addr} ')dnl
FEATURE(`dnsbl', `list.dsbl.org', `"550 Refused unsolicited email from " $`'&{client_addr} " - Request access see http://dsbl.org/listing?"$&{client_addr}')dnl
FEATURE(`dnsbl', `combined.njabl.org', `"550 Refused unsolicited email from " $`'&{client_addr} " - Request access see http://njabl.org/lookup?$&{client_addr}')dnl
The above has been customized to reflect the following useful details:
a. IP address of the denied computer hosts
b. DNS blacklist server that has been used for checking the denied host
c. Error message with URL site to be shown to computer host for further course of action and why he has been blocked.
The above sendmail details would also be reflected to sendmail’s default log file for further statistics and monitoring details.
By default, dnsbl sendmail directive is not included with default sendmail configuration setup.
Step Three
Recompile and restart sendmail daemon service
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# service sendmail restart
Monitoring DNS Blacklist Logs with Sendmail
# tailf /var/log/maillog | grep ‘Refused unsolicited’
Counting blocked hosts by Sendmail DNS blacklists
# cat /var/log/maillog | grep ‘Refused unsolicited’ | wc -l
You can further use more linux command combination like grep and awk to fetch all DNS blocked IP addresses and dump it to a single file.
To be more paranoid, create a script that route blocks all IP addresses dumped from this file. Further action of this scenario would be covered on other separate post.
To be more creative, these number counts can also be graphed and feed to MRTG details for further graphing actions.
Monday, November 2, 2009
Wednesday, October 28, 2009
Kernel Parameter: Setting the Kernel Parametre?
How do I set advanced security options of the TCP/IP stack and virtual memory to improve security and performance of my system? How do I configure Linux kernel to prevent certain kinds of attacks using /etc/sysctl.conf? How do I set Linux kernel parameters?
sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as:
1. Limit network-transmitted configuration for IPv4
2. Limit network-transmitted configuration for IPv6
3. Turn on execshild protection
4. Prevent against the common 'syn flood attack'
5. Turn on source IP address verification
6. Prevents a cracker from using a spoofing attack against the IP address of the server.
7. Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.
sysctl command
The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. To view current values, enter:
# sysctl -a
# sysctl -A
# sysctl mib
# sysctl net.ipv4.conf.all.rp_filter
To load settings, enter:
# sysctl -p
Sample /etc/sysctl.conf
Edit /etc/sysctl.conf and update it as follows. The file is documented with comments. However, I recommend reading the official Linux kernel sysctl tuning help file (see below):
# The following is suitable for dedicated web server, mail, ftp server etc.
# ---------------------------------------
# BOOLEAN Values:
# a) 0 (zero) - disabled / no / false
# b) Non zero - enabled / yes / true
# --------------------------------------
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
#net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
########## IPv4 networking start ##############
# Send redirects, if router, but this is just server
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 0
# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Prevent against the common 'syn flood attack'
net.ipv4.tcp_syncookies = 1
# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0
# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0
# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
########## IPv6 networking ends ##############
#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# TCP and memory optimization
# increase TCP max buffer size setable using setsockopt()
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608
# increase Linux auto tuning TCP buffer limits
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1
# increase system file descriptor limit
fs.file-max = 65535
#Allow for more PIDs
kernel.pid_max = 65536
#Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as:
1. Limit network-transmitted configuration for IPv4
2. Limit network-transmitted configuration for IPv6
3. Turn on execshild protection
4. Prevent against the common 'syn flood attack'
5. Turn on source IP address verification
6. Prevents a cracker from using a spoofing attack against the IP address of the server.
7. Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.
sysctl command
The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. To view current values, enter:
# sysctl -a
# sysctl -A
# sysctl mib
# sysctl net.ipv4.conf.all.rp_filter
To load settings, enter:
# sysctl -p
Sample /etc/sysctl.conf
Edit /etc/sysctl.conf and update it as follows. The file is documented with comments. However, I recommend reading the official Linux kernel sysctl tuning help file (see below):
# The following is suitable for dedicated web server, mail, ftp server etc.
# ---------------------------------------
# BOOLEAN Values:
# a) 0 (zero) - disabled / no / false
# b) Non zero - enabled / yes / true
# --------------------------------------
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
#net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
########## IPv4 networking start ##############
# Send redirects, if router, but this is just server
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 0
# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Prevent against the common 'syn flood attack'
net.ipv4.tcp_syncookies = 1
# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0
# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0
# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
########## IPv6 networking ends ##############
#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# TCP and memory optimization
# increase TCP max buffer size setable using setsockopt()
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608
# increase Linux auto tuning TCP buffer limits
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1
# increase system file descriptor limit
fs.file-max = 65535
#Allow for more PIDs
kernel.pid_max = 65536
#Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
Sunday, October 25, 2009
Apache:Piped logging program to rotate Apache logs
There was a requirement from IT Infrastructure Team that the Apache Logs has always been cumbersome to maintain as it gets full due to heavy rush at the server end. They needed a utility to rotate the logs as per their requirement.
I explored tools for apache logs maintenance and finally got a chance to try out something.Here is my finding:
rotatelogs is a simple program for use in conjunction with Apache's piped logfile feature. For example:
CustomLog "|rotatelogs /var/logs/logfile 86400" common
This creates the files /var/logs/logfile.nnnn where nnnn is the system time at which the log nominally starts (this time will always be a multiple of the rotation time, so you can synchronize cron scripts with it). At the end of each rotation time (here after 24 hours) a new log is started.
CustomLog "|rotatelogs /var/logs/logfile 5M" common
This configuration will rotate the logfile whenever it reaches a size of 5 megabytes.
ErrorLog "|bin/rotatelogs /var/logs/errorlog.%Y-%m-%d-%H_%M_%S 5M"
This configuration will rotate the error logfile whenever it reaches a size of 5 megabytes, and the suffix to the logfile name will be created of the form errorlog.YYYY-mm-dd-HH_MM_SS.
■ Synopsis
■ Options
■ Portability
Synopsis
rotatelogs [ -l ] logfile [ rotationtime [ offset ]] | [ filesizeM ]
Options
-l (2.0.51 and later)
Causes the use of local time rather than GMT as the base for the interval. Note that using -l in an environment which changes the GMT offset (such as for BST or DST) can lead to unpredictable results!
logfile
The path plus basename of the logfile. If logfile includes any '%' characters, it is treated as a format string for strftime(3). Otherwise, the suffix .nnnnnnnnnn is automatically added and is the time in seconds. Both formats compute the start time from the beginning of the current period.
rotationtime
The time between log file rotations in seconds.
offset
The number of minutes offset from UTC. If omitted, zero is assumed and UTC is used. For example, to use local time in the zone UTC -5 hours, specify a value of -300 for this argument.
filesizeM
The maximum file size in megabytes followed by the letter M to specify size rather than time. Use this parameter in place of both rotationtime and offset.
Portability
The following logfile format string substitutions should be supported by all strftime(3) implementations, see the strftime(3) man page for library-specific extensions.
%A full weekday name (localized)
%a 3-character weekday name (localized)
%B full month name (localized)
%b 3-character month name (localized)
%c date and time (localized)
%d 2-digit day of month
%H 2-digit hour (24 hour clock)
%I 2-digit hour (12 hour clock)
%j 3-digit day of year
%M 2-digit minute
%m 2-digit month
%p am/pm of 12 hour clock (localized)
%S 2-digit second
%U 2-digit week of year (Sunday first day of week)
%W 2-digit week of year (Monday first day of week)
%w 1-digit weekday (Sunday first day of week)
%X time (localized)
%x date (localized)
%Y 4-digit year
%y 2-digit year
%Z time zone name
%% literal `%'
Note: Do create the logs directory under /var directory.
For testing, Just restart the httpd service and you will see these directories:
[root@localhost logs]# ls -la
total 28
drwxr-xr-x 2 root root 4096 2009-10-26 01:45 .
drwxr-xr-x. 23 root root 4096 2009-10-26 01:13 ..
-rw-r--r-- 1 root root 632 2009-10-26 01:43 errorlog.2009-10-25-20_13_59
-rw-r--r-- 1 root root 632 2009-10-26 01:44 errorlog.2009-10-25-20_14_15
-rw-r--r-- 1 root root 0 2009-10-26 01:13 logfile
-rw-r--r-- 1 root root 310 2009-10-26 01:21 logfile.1256500257
-rw-r--r-- 1 root root 381 2009-10-26 01:39 logfile.1256501364
-rw-r--r-- 1 root root 81 2009-10-26 01:44 logfile.1256501673
[root@localhost logs]#
I explored tools for apache logs maintenance and finally got a chance to try out something.Here is my finding:
rotatelogs is a simple program for use in conjunction with Apache's piped logfile feature. For example:
CustomLog "|rotatelogs /var/logs/logfile 86400" common
This creates the files /var/logs/logfile.nnnn where nnnn is the system time at which the log nominally starts (this time will always be a multiple of the rotation time, so you can synchronize cron scripts with it). At the end of each rotation time (here after 24 hours) a new log is started.
CustomLog "|rotatelogs /var/logs/logfile 5M" common
This configuration will rotate the logfile whenever it reaches a size of 5 megabytes.
ErrorLog "|bin/rotatelogs /var/logs/errorlog.%Y-%m-%d-%H_%M_%S 5M"
This configuration will rotate the error logfile whenever it reaches a size of 5 megabytes, and the suffix to the logfile name will be created of the form errorlog.YYYY-mm-dd-HH_MM_SS.
■ Synopsis
■ Options
■ Portability
Synopsis
rotatelogs [ -l ] logfile [ rotationtime [ offset ]] | [ filesizeM ]
Options
-l (2.0.51 and later)
Causes the use of local time rather than GMT as the base for the interval. Note that using -l in an environment which changes the GMT offset (such as for BST or DST) can lead to unpredictable results!
logfile
The path plus basename of the logfile. If logfile includes any '%' characters, it is treated as a format string for strftime(3). Otherwise, the suffix .nnnnnnnnnn is automatically added and is the time in seconds. Both formats compute the start time from the beginning of the current period.
rotationtime
The time between log file rotations in seconds.
offset
The number of minutes offset from UTC. If omitted, zero is assumed and UTC is used. For example, to use local time in the zone UTC -5 hours, specify a value of -300 for this argument.
filesizeM
The maximum file size in megabytes followed by the letter M to specify size rather than time. Use this parameter in place of both rotationtime and offset.
Portability
The following logfile format string substitutions should be supported by all strftime(3) implementations, see the strftime(3) man page for library-specific extensions.
%A full weekday name (localized)
%a 3-character weekday name (localized)
%B full month name (localized)
%b 3-character month name (localized)
%c date and time (localized)
%d 2-digit day of month
%H 2-digit hour (24 hour clock)
%I 2-digit hour (12 hour clock)
%j 3-digit day of year
%M 2-digit minute
%m 2-digit month
%p am/pm of 12 hour clock (localized)
%S 2-digit second
%U 2-digit week of year (Sunday first day of week)
%W 2-digit week of year (Monday first day of week)
%w 1-digit weekday (Sunday first day of week)
%X time (localized)
%x date (localized)
%Y 4-digit year
%y 2-digit year
%Z time zone name
%% literal `%'
Note: Do create the logs directory under /var directory.
For testing, Just restart the httpd service and you will see these directories:
[root@localhost logs]# ls -la
total 28
drwxr-xr-x 2 root root 4096 2009-10-26 01:45 .
drwxr-xr-x. 23 root root 4096 2009-10-26 01:13 ..
-rw-r--r-- 1 root root 632 2009-10-26 01:43 errorlog.2009-10-25-20_13_59
-rw-r--r-- 1 root root 632 2009-10-26 01:44 errorlog.2009-10-25-20_14_15
-rw-r--r-- 1 root root 0 2009-10-26 01:13 logfile
-rw-r--r-- 1 root root 310 2009-10-26 01:21 logfile.1256500257
-rw-r--r-- 1 root root 381 2009-10-26 01:39 logfile.1256501364
-rw-r--r-- 1 root root 81 2009-10-26 01:44 logfile.1256501673
[root@localhost logs]#
Friday, October 23, 2009
Apache:SSH Public key based authentication – Howto
This howto covers generating and using ssh keys for automated:
a) Login
b) Make backups
c) Run commands from shell etc
Task: Generating ssh keys
1) Log on to your workstation ( for example log on to workstation called admin.fbsd.nixcraft.org as vivek user). Please refer the following sample setup - You will be log in, on your local system, AS THE USER you wish to make passwordless ssh connections.
My Setup
(Click image to enlarge)
2) Create the Cryptographic Key on FreeBSD workstation, enter:
$ ssh-keygen -t rsa
Assign the pass phrase (press [enter] key twice if you don't want a passphrase). It will create 2 files in ~/.ssh directory as follows:
* ~/.ssh/id_rsa : identification (private) key
* ~/.ssh/id_rsa.pub : public key
3) Use scp to copy the id_rsa.pub (public key) to rh9linux.nixcraft.org server as authorized_keys2 file, this is know as Installing the public key to server.
$ scp .ssh/id_rsa.pub vivek@rh9linux.nixcraft.org:.ssh/authorized_keys2
4) From FreeBSD workstation login to server:
$ ssh rh9linux.nixcraft.org
5) Changing the pass-phrase on workstation (if needed):
$ ssh-keygen -p
6) Use of ssh-agent to avoid continues pass-phrase typing
At freebsd workstation type:
$ ssh-agent $BASH
$ ssh-add
Type your pass-phrase
From here, whenever connecting to server it won’t ask for password.
Above two commands can be added to ~/.bash_profile so that as soon as I login into workstation I can set the agent.
7) Deleting the keys hold by ssh-agent
a) To delete all keys
$ ssh-add -D
b) To delete specific key
$ ssh-add -d key
c) To list keys
$ ssh-add -l
a) Login
b) Make backups
c) Run commands from shell etc
Task: Generating ssh keys
1) Log on to your workstation ( for example log on to workstation called admin.fbsd.nixcraft.org as vivek user). Please refer the following sample setup - You will be log in, on your local system, AS THE USER you wish to make passwordless ssh connections.
My Setup
(Click image to enlarge)
2) Create the Cryptographic Key on FreeBSD workstation, enter:
$ ssh-keygen -t rsa
Assign the pass phrase (press [enter] key twice if you don't want a passphrase). It will create 2 files in ~/.ssh directory as follows:
* ~/.ssh/id_rsa : identification (private) key
* ~/.ssh/id_rsa.pub : public key
3) Use scp to copy the id_rsa.pub (public key) to rh9linux.nixcraft.org server as authorized_keys2 file, this is know as Installing the public key to server.
$ scp .ssh/id_rsa.pub vivek@rh9linux.nixcraft.org:.ssh/authorized_keys2
4) From FreeBSD workstation login to server:
$ ssh rh9linux.nixcraft.org
5) Changing the pass-phrase on workstation (if needed):
$ ssh-keygen -p
6) Use of ssh-agent to avoid continues pass-phrase typing
At freebsd workstation type:
$ ssh-agent $BASH
$ ssh-add
Type your pass-phrase
From here, whenever connecting to server it won’t ask for password.
Above two commands can be added to ~/.bash_profile so that as soon as I login into workstation I can set the agent.
7) Deleting the keys hold by ssh-agent
a) To delete all keys
$ ssh-add -D
b) To delete specific key
$ ssh-add -d key
c) To list keys
$ ssh-add -l
Apache:Howto Linux / UNIX setup SSH with DSA public key authentication (password less login)
I have Linux laptop called tom and remote Linux server called jerry. How do I setup DSA based authentication so I don’t have to type password?
Solution:
DSA public key authentication can only be established on a per system / user basis only i.e. it is not system wide. You will be setting up ssh with DSA public key authentication for SSH version 2 on two machines:
#1 machine : your laptop called tom
#2 machine : your remote server called jerry
Command to type on your laptop/desktop (local computer)
First login to local computer called tom and type the following command.
Step #1: Generate DSA Key Pair
Use ssh-keygen command as follows:
$ ssh-keygen -t dsa
Output:
Enter file in which to save the key (/home/vivek/.ssh/id_dsa): Press [Enter] key
Enter passphrase (empty for no passphrase): myPassword
Enter same passphrase again: myPassword
Your identification has been saved in /home/vivek/.ssh/id_dsa.
Your public key has been saved in /home/vivek/.ssh/id_dsa.pub.
The key fingerprint is:
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01 vivek@vivek-desktop
Caution: a) Please enter a passphrase different from your account password and confirm the same.
b) The public key is written to /home/you/.ssh/id_dsa.pub.
c) The private key is written to /home/you/.ssh/id_dsa.
d) It is important you never-ever give out your private key.
Step #2: Set directory permission
Next make sure you have correct permission on .ssh directory:
$ cd
$ chmod 755 .ssh
Step #3: Copy public key
Now copy file ~/.ssh/id_dsa.pub on Machine #1 (tom) to remote server jerry as ~/.ssh/authorized_keys:
$ scp ~/.ssh/id_dsa.pub user@jerry:.ssh/authorized_keys
Command to type on your remote server called jerry
Login to your remote server and make sure permissions are set correct:
$ chmod 600 ~/.ssh/authorized_keys
Task: How do I login from client to server with DSA key?
Use scp or ssh as follows from your local computer:
$ ssh user@jerry
$ ssh user@remote-server.com
$ scp file user@jerry:/tmp
You will still be asked for the passphrase for the DSA key file each time you connect to remote server called jerry, unless you either did not enter a passphrase when generating the DSA key pair.
Task: How do I login from client to server with DSA key but without typing a passhrase i.e. password-less login?
Type the following command at shell prompt:
$ exec /usr/bin/ssh-agent $SHELL
$ ssh-add
Output:
Enter passphrase for /home/vivek/.ssh/id_dsa: myPassword
Identity added: /home/vivek/.ssh/id_dsa (/home/vivek/.ssh/id_dsa)
Type your passhrase once. Now, you should not be prompted for a password whenever you use ssh, scp, or sftp command.
If you are using GUI such as Gnome use the command:
$ ssh-askpass
OR
$ /usr/lib/openssh/gnome-ssh-askpass
To save your passphrase during your GNOME session under Debian / Ubuntu, do as follows:
a) Click on System
b) Select Preferences
c) Select Session
d) Click on New
e) Enter "OpenSSH Password Management" in the Name text area
f) Enter /usr/lib/openssh/gnome-ssh-askpass in the command text area.
Howto Linux / UNIX setup SSH with DSA public key authentication
g) Click on close to save the changes
h) Log out and then log back into GNOME. After GNOME is started, a dialog box will appear prompting you for your passphrase. Enter the passphrase requested. From this point on, you should not be prompted for a password by ssh, scp, or sftp.
Solution:
DSA public key authentication can only be established on a per system / user basis only i.e. it is not system wide. You will be setting up ssh with DSA public key authentication for SSH version 2 on two machines:
#1 machine : your laptop called tom
#2 machine : your remote server called jerry
Command to type on your laptop/desktop (local computer)
First login to local computer called tom and type the following command.
Step #1: Generate DSA Key Pair
Use ssh-keygen command as follows:
$ ssh-keygen -t dsa
Output:
Enter file in which to save the key (/home/vivek/.ssh/id_dsa): Press [Enter] key
Enter passphrase (empty for no passphrase): myPassword
Enter same passphrase again: myPassword
Your identification has been saved in /home/vivek/.ssh/id_dsa.
Your public key has been saved in /home/vivek/.ssh/id_dsa.pub.
The key fingerprint is:
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01 vivek@vivek-desktop
Caution: a) Please enter a passphrase different from your account password and confirm the same.
b) The public key is written to /home/you/.ssh/id_dsa.pub.
c) The private key is written to /home/you/.ssh/id_dsa.
d) It is important you never-ever give out your private key.
Step #2: Set directory permission
Next make sure you have correct permission on .ssh directory:
$ cd
$ chmod 755 .ssh
Step #3: Copy public key
Now copy file ~/.ssh/id_dsa.pub on Machine #1 (tom) to remote server jerry as ~/.ssh/authorized_keys:
$ scp ~/.ssh/id_dsa.pub user@jerry:.ssh/authorized_keys
Command to type on your remote server called jerry
Login to your remote server and make sure permissions are set correct:
$ chmod 600 ~/.ssh/authorized_keys
Task: How do I login from client to server with DSA key?
Use scp or ssh as follows from your local computer:
$ ssh user@jerry
$ ssh user@remote-server.com
$ scp file user@jerry:/tmp
You will still be asked for the passphrase for the DSA key file each time you connect to remote server called jerry, unless you either did not enter a passphrase when generating the DSA key pair.
Task: How do I login from client to server with DSA key but without typing a passhrase i.e. password-less login?
Type the following command at shell prompt:
$ exec /usr/bin/ssh-agent $SHELL
$ ssh-add
Output:
Enter passphrase for /home/vivek/.ssh/id_dsa: myPassword
Identity added: /home/vivek/.ssh/id_dsa (/home/vivek/.ssh/id_dsa)
Type your passhrase once. Now, you should not be prompted for a password whenever you use ssh, scp, or sftp command.
If you are using GUI such as Gnome use the command:
$ ssh-askpass
OR
$ /usr/lib/openssh/gnome-ssh-askpass
To save your passphrase during your GNOME session under Debian / Ubuntu, do as follows:
a) Click on System
b) Select Preferences
c) Select Session
d) Click on New
e) Enter "OpenSSH Password Management" in the Name text area
f) Enter /usr/lib/openssh/gnome-ssh-askpass in the command text area.
Howto Linux / UNIX setup SSH with DSA public key authentication
g) Click on close to save the changes
h) Log out and then log back into GNOME. After GNOME is started, a dialog box will appear prompting you for your passphrase. Enter the passphrase requested. From this point on, you should not be prompted for a password by ssh, scp, or sftp.
Apache:How To Back Up a Web Server ?
I'm busy experimenting with Red Hat Enterprise Linux based Apache web server. I want to backup my Apache webserver, MySQL and PostgreSQL database to another disk called /backup and then copy it to other offsite backup ssh server called backup.example.com.
I started this morning with a piece of refreshment in Breakfast and soon caught hold of one of my friend online.He was Domino from Netherland and we met through one of linux forum. He wanted me to help him with the same and I started writing.
Here we go...
There are many tools under Linux / UNIX to backup a webserver. You can create a simple shell script to backup everything to /backup directory. You can also copy /backup directory content offsite using ssh and scp tool.
Step # 1: Create /root/backup.sh script
Use the following shell script:
#!/bin/bash
# A Simple Shell Script to Backup Red Hat / CentOS / Fedora / Debian / Ubuntu Apache Webserver and SQL Database
# Path to backup directories
DIRS="/home/vivek/ /var/www/html/ /etc"
# Store todays date
NOW=$(date +"%F")
# Store backup path
BACKUP="/backup/$NOW"
# Backup file name hostname.time.tar.gz
BFILE="$(hostname).$(date +'%T').tar.gz"
PFILE="$(hostname).$(date +'%T').pg.sql.gz"
MFILE="$(hostname).$(date +'%T').mysql.sq.gz"
# Set Pgsql username
PGSQLUSER="ajeet"
# Set MySQL username and password
MYSQLUSER="ajeet"
MYSQLPASSWORD="myPassword"
# Remote SSH server setup
SSHSERVER="backup.example.com" # your remote ssh server
SSHUSER="ajeet" # username
SSHDUMPDIR="/backup/remote" # remote ssh server directory to store dumps
# Paths for binary files
TAR="/bin/tar"
PGDUMP="/usr/bin/pg_dump"
MYSQLDUMP="/usr/bin/mysqldump"
GZIP="/bin/gzip"
SCP="/usr/bin/scp"
SSH="/usr/bin/ssh"
LOGGER="/usr/bin/logger"
# make sure backup directory exists
[ ! -d $BACKUP ] && mkdir -p ${BACKUP}
# Log backup start time in /var/log/messages
$LOGGER "$0: *** Backup started @ $(date) ***"
# Backup websever dirs
$TAR -zcvf ${BACKUP}/${BFILE} "${DIRS}"
# Backup PgSQL
$PGDUMP -x -D -U${PGSQLUSER} | $GZIP -c > ${BACKUP}/${PFILE}
# Backup MySQL
$MYSQLDUMP -u ${MYSQLUSER} -h localhost -p${MYSQLPASSWORD} --all-databases | $GZIP -9 > ${BACKUP}/${MFILE}
# Dump all local files to failsafe remote UNIX ssh server / home server
$SSH ${SSHUSER}@${SSHSERVER} mkdir -p ${SSHDUMPDIR}/${NOW}
$SCP -r ${BACKUP}/* ${SSHUSER}@${SSHSERVER}:${SSHDUMPDIR}/${NOW}
# Log backup end time in /var/log/messages
$LOGGER "$0: *** Backup Ended @ $(date) ***"
Customize it according to your needs, set username, password, ssh settings and other stuff.
Step # 2: Create ssh keys
Create ssh keys for password less login from your server to another offsite server hosted at your own home or another datacenter. See following faqs for more information:
http://linuxhunt.blogspot.com/2009/10/apachehowto-linux-unix-setup-ssh-with.html
http://linuxhunt.blogspot.com/2009/10/apachessh-public-key-based.html
Step #3: Create Cron job
Setup a cronjob to backup server everyday, enter:
# crontab -e
Append following code to backup server everyday at midnight:
@midnight /root/backup.sh
I started this morning with a piece of refreshment in Breakfast and soon caught hold of one of my friend online.He was Domino from Netherland and we met through one of linux forum. He wanted me to help him with the same and I started writing.
Here we go...
There are many tools under Linux / UNIX to backup a webserver. You can create a simple shell script to backup everything to /backup directory. You can also copy /backup directory content offsite using ssh and scp tool.
Step # 1: Create /root/backup.sh script
Use the following shell script:
#!/bin/bash
# A Simple Shell Script to Backup Red Hat / CentOS / Fedora / Debian / Ubuntu Apache Webserver and SQL Database
# Path to backup directories
DIRS="/home/vivek/ /var/www/html/ /etc"
# Store todays date
NOW=$(date +"%F")
# Store backup path
BACKUP="/backup/$NOW"
# Backup file name hostname.time.tar.gz
BFILE="$(hostname).$(date +'%T').tar.gz"
PFILE="$(hostname).$(date +'%T').pg.sql.gz"
MFILE="$(hostname).$(date +'%T').mysql.sq.gz"
# Set Pgsql username
PGSQLUSER="ajeet"
# Set MySQL username and password
MYSQLUSER="ajeet"
MYSQLPASSWORD="myPassword"
# Remote SSH server setup
SSHSERVER="backup.example.com" # your remote ssh server
SSHUSER="ajeet" # username
SSHDUMPDIR="/backup/remote" # remote ssh server directory to store dumps
# Paths for binary files
TAR="/bin/tar"
PGDUMP="/usr/bin/pg_dump"
MYSQLDUMP="/usr/bin/mysqldump"
GZIP="/bin/gzip"
SCP="/usr/bin/scp"
SSH="/usr/bin/ssh"
LOGGER="/usr/bin/logger"
# make sure backup directory exists
[ ! -d $BACKUP ] && mkdir -p ${BACKUP}
# Log backup start time in /var/log/messages
$LOGGER "$0: *** Backup started @ $(date) ***"
# Backup websever dirs
$TAR -zcvf ${BACKUP}/${BFILE} "${DIRS}"
# Backup PgSQL
$PGDUMP -x -D -U${PGSQLUSER} | $GZIP -c > ${BACKUP}/${PFILE}
# Backup MySQL
$MYSQLDUMP -u ${MYSQLUSER} -h localhost -p${MYSQLPASSWORD} --all-databases | $GZIP -9 > ${BACKUP}/${MFILE}
# Dump all local files to failsafe remote UNIX ssh server / home server
$SSH ${SSHUSER}@${SSHSERVER} mkdir -p ${SSHDUMPDIR}/${NOW}
$SCP -r ${BACKUP}/* ${SSHUSER}@${SSHSERVER}:${SSHDUMPDIR}/${NOW}
# Log backup end time in /var/log/messages
$LOGGER "$0: *** Backup Ended @ $(date) ***"
Customize it according to your needs, set username, password, ssh settings and other stuff.
Step # 2: Create ssh keys
Create ssh keys for password less login from your server to another offsite server hosted at your own home or another datacenter. See following faqs for more information:
http://linuxhunt.blogspot.com/2009/10/apachehowto-linux-unix-setup-ssh-with.html
http://linuxhunt.blogspot.com/2009/10/apachessh-public-key-based.html
Step #3: Create Cron job
Setup a cronjob to backup server everyday, enter:
# crontab -e
Append following code to backup server everyday at midnight:
@midnight /root/backup.sh
Apache: Giving Users their Own URL
Exploring more on Apache and continuing with my Cookbook, I started with this topic and set it up in just 5 minutes. This time I tried setting up webpage for all users and this is what I finally got it working !!!
File: /etc/httpd/conf/httpd.conf
Line 352:
UserDir public_html
And remove the hash sign:
368 AllowOverride FileInfo AuthConfig Limit
369 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
370
371 Order allow,deny
372 Allow from all
373
374
375 Order deny,allow
376 Deny from all
377
378
379
Restart the Apache Service.
Try Browsing : http://localhost/~ajeet
But it wont work.
Reason: Permission Issue
Create few users like ajeet, john, eric etc
#useradd ajeet
#passwd ajeet
#cd /hom/ajeet
#mkdir public_html
#cd public_html
#mkdir {ISO1,ISO2,ISO3)
Grant Permission:
#chmod o+x /home /home/ajeet
#chmod o+x /home/ajeet/public_html
Try Browsing http://localhost/~ajeet
Index of /~ajeet
[ICO] Name Last modified Size Description
[DIR] Parent Directory -
[DIR] ISO/ 23-Oct-2009 23:11 -
[DIR] ISO2/ 23-Oct-2009 23:11 -
[DIR] ISO3/ 23-Oct-2009 23:11 -
Apache/2.2.11 (Fedora) Server at localhost Port 80
So User can have their own Webpage.
Happy Apaching !!!
File: /etc/httpd/conf/httpd.conf
Line 352:
UserDir public_html
And remove the hash sign:
368 AllowOverride FileInfo AuthConfig Limit
369 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
370
371 Order allow,deny
372 Allow from all
373
374
375 Order deny,allow
376 Deny from all
377
378
379
Restart the Apache Service.
Try Browsing : http://localhost/~ajeet
But it wont work.
Reason: Permission Issue
Create few users like ajeet, john, eric etc
#useradd ajeet
#passwd ajeet
#cd /hom/ajeet
#mkdir public_html
#cd public_html
#mkdir {ISO1,ISO2,ISO3)
Grant Permission:
#chmod o+x /home /home/ajeet
#chmod o+x /home/ajeet/public_html
Try Browsing http://localhost/~ajeet
Index of /~ajeet
[ICO] Name Last modified Size Description
[DIR] Parent Directory -
[DIR] ISO/ 23-Oct-2009 23:11 -
[DIR] ISO2/ 23-Oct-2009 23:11 -
[DIR] ISO3/ 23-Oct-2009 23:11 -
Apache/2.2.11 (Fedora) Server at localhost Port 80
So User can have their own Webpage.
Happy Apaching !!!
Subscribe to:
Posts (Atom)