Archive for August, 2009

SBDavid
Aug 7th, 2009

Using iptables to rate limit incoming connections

Using iptables to rate limit incoming connections

We all know various ways of blocking dictionary attack that happened through ssh such as disabling direct root login, blocking default 22 port etc. Besides this we can also make use of iptables in a smarter way to achieve the result. Lets see how to accomplish this.

We make use of a recent module that add IP addresses to a list, which can then be used in the future to test connection attempts against. Let’s make things clear using an example. Consider the following two iptables command.

# iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set

# iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent
–update –seconds 60 –hitcount 4 -j DROP

Here the –set parameter in the first line will make sure that the IP address of the host which initiated the connection will be added to the “recent list”, where it will be tested again in the second rule.

Its in the second rule that actual magic happens

–update flag tests whether the IP address is in the list of recent connections, in our case each new connection on port 22 will be in the list because we used the –set flag to add it in the preceding rule.

–seconds flag is used to make sure that the IP address is only going to match if the last connection was within the time frame given.

–hitcount flag works in a similar way - matching only if the given count of connection attempts is greater than or equal to the number given.

So in total the result of above command is to DROP a connection from an IP address which initiated the connection that has previously been added to the list that sent a packet in the past 60 seconds and sent more than 4 packets in total.

We can change the connection limit by modifying the hit count.

SBDavid
Aug 7th, 2009

SSHfs: mounting remote filesystem over ssh?

SSHfs: mounting remote filesystem over ssh?

What is sshfs ?

SSHFS is a filesystem client based on the SSH File Transfer Protocol. It uses the the Filesystem in userspace (FUSE) framework by Miklos Szeredi.

Advantages of SSHFS

While sshfs may not be as fast and featureful as other full-blown network filesystems such as NFS or Samba, it still has some great features:

1. Very easy to use, on the server side there’s nothing to do, on the client side mounting the filesystem is as easy as logging into the server with ssh

2. Provides secure (encrypted) access to remote files

3. Has decent performance (multithreaded, caching directory contents and allowing large reads)

4. Should work well even over slow and/or unstable links (think dialup), knows how to reconnect to the server when the connection is broken

Requirements

Fuse Kernel module must be installed and loaded before using sshfs.

Packages Required

1. Kernel Source ( for the current running kernel )

2. FUSE : http://jaist.dl.sourceforge.net/sourceforge/fuse/fuse-2.5.3.tar.gz

3. SSHFS-FUSE : http://jaist.dl.sourceforge.net/sourceforge/fuse/sshfs-fuse-1.6.tar.gz

4. OpenSSH client

Installing and configuring SSHFS

Installing FUSE

1. Download the FUSE kernel module source from http://jaist.dl.sourceforge.net/sourceforge/fuse/fuse-2.5.3.tar.gz
#wget http://jaist.dl.sourceforge.net/sourceforge/fuse/fuse-2.5.3.tar.gz

2. Go to your kernel source directory and prepare it if it is a fresh kernel source

#cd /usr/src/linux-2.6.9-5.EL
#make menuconfig

3. Untar the FUSE package and change directory to the source directory of FUSE

#tar xzf fuse-2.5.3.tar.gz
#cd fuse-2.5.3

4. Configure the Fuse source package .

#./configure –with-kernel=/usr/src/linux-2.6.9-5.EL

5. Build the fuse module and install it

#make
#make install

6. Load Fuse module into kernel

#modprobe fuse

Installing SSHFS

1. Download the sshfs-fuse package from http://jaist.dl.sourceforge.net/sourceforge/fuse/sshfs-fuse-1.6.tar.gz

#wget http://jaist.dl.sourceforge.net/sourceforge/fuse/sshfs-fuse-1.6.tar.gz

2. Untar the source package and change directory to sshfs-fuse source directory

#tar xzf sshfs-fuse-1.6.tar.gz
#cd sshfs-fuse-1.6

3. Build and install the sshfs

#./configure
#make
#make install

Using SSHFS

You can mount a remote directory using the command sshfs @host: eg:

#sshfs user1@192.168.1.215:/docs docs

If the sshd on remote server is listening on an alternateport, you can use -oport= eg: For sshd listening on 2222

#sshfs -oport=2222 user1@192.168.1.215:/docs docs

To unmount the filesystem, you can use fusermount -u eg:

#fusermount -u docs
SBDavid
Aug 5th, 2009

Network tuning for Linux kernels

Network tuning for Linux kernels

TCP/IP tuning is enabled by default for kernels after 2.6.17.

Check if auto-tuning is enabled in /proc/sys/net/ipv4/tcp_moderate_rcvbuf , it should be set to 1.

Also increase memory reserved for TCP send/receive buffers.

Initially “echo” the below values to the corresponding /proc file. If you see any considerable difference in the upload/download port speed, you can set it as a sysctl parameter.

net.ipv4.tcp_sack = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 1
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 256960 16777216
net.ipv4.tcp_wmem = 4096 256960 16777216
net.ipv4.tcp_no_metrics_save = 1
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216
SBDavid
Aug 5th, 2009

Setup wvdial to dial your ISP

Setup wvdial to dial your ISP

If you are using a dial-up internet connection, then you may configure your linux box to connect to the internet as discussed below.

Before you attempt to get dial-on-demand working, you need to make sure that you can dial up your ISP.
If this is the first time you are connecting to the internet, then you have to ’su’ to root and execute the ‘wvdialconf’ script. This would build a configuration file for wvdial. It detects your modem, its maximum baud rate, and a good initialization string and generates or updates the wvdial configuration file based on this information.

bash$ wvdialconf /etc/wvdial.conf
Scanning your serial ports for a modem.

ttyS0: ATQ0 V1 E1 — failed with 2400 baud, next try: 4800 baud
ttyS0: ATQ0 V1 E1 — OK
ttyS0: ATQ0 V1 E1 Z — OK
ttyS0: ATQ0 V1 E1 S0=0 — OK
ttyS0: ATQ0 V1 E1 S0=0 &C1 — OK
ttyS0: ATQ0 V1 E1 S0=0 &C1 &D2 — OK
ttyS0: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 — ERROR
ttyS0: Modem Identifier: ATI — 128K
ttyS0: Speed 9600: AT — OK
ttyS0: Speed 19200: AT — OK
ttyS0: Speed 38400: AT — OK
ttyS0: Speed 57600: AT — OK
ttyS0: Speed 115200: AT — OK
ttyS0: Max speed is 115200; that should be safe.
ttyS0: ATQ0 V1 E1 S0=0 &C1 &D2 — OK

Found a modem on /dev/ttyS0.
/etc/wvdial.conf: Can’t read config file /etc/wvdial.conf:
No such file or directory
Modem configuration written to /etc/wvdial.conf.
ttyS0: Speed 115200; init “ATQ0 V1 E1 S0=0 &C1 &D2″

This will produce the configuration file /etc/wvdial.conf having entries such as:-

[Dialer Defaults]
Modem = /dev/ttyS0
Baud = 115200
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2
ISDN = 0
Modem Type = Analog Modem
; Phone =
; Username =
; Password =

You can now fill in your ISP’s phone number, your username and password. You should now be able to run wvdial and connect to the Internet. Type wvdial and you should see several lines scroll past and will stop after starting pppd. To stop the connection, press - C.

You may re-arrange your wvdial.conf to separate the modem configuration from any ISP account details.

[dialer defaults]
Init1 = ATZ
Init2 = AT+CRM = 1
ISDN = 0
Modem = /dev/ttyACM0
Baud = 460800
Flow control = Hardware (CRTSCTS)
Carrier check = no
Dial command = ATDT
SetVolume = 0

[Dialer ABC]
Phone = #12345
Username = xxxxx
Password = xxxxx

Suppose your service provider is ABC, you may configure the username and password to dial the phone number 12345 as shown above.

Now, you may execute the following command to connect to the internet:-

bash-3.1$ sudo wvdial ABC

You may find output such as:-

bash-3.1$ sudo wvdial ABC
WvDial: Internet dialer version 1.56 (abuild@mandelbrot)
Cannot get information for serial port.
Initializing modem.
Sending: ATZ
ATZ
OK
Sending: AT+CRM = 1
AT+CRM = 1
OK
Modem initialized.
Sending: ATDT#12345
Waiting for carrier.
ATDT#12345
CONNECT
Carrier detected. Waiting for prompt.
Don’t know what to do! Starting pppd and hoping for the best.
Starting pppd at Sat Apr 5 23:35:36 2008
Pid of pppd: 5037
Using interface ppp0

The above method should work fine for other Linux distros with slight modification.

SBDavid
Aug 5th, 2009

How to Configure Samba

How to Configure Samba

What is Samba?

Samba allows Linux boxes to share files and printers across a network connection by using the protocol SMB.

Installing Samba

You can get RPM package from http://www.samba.org or http://rpmfind.net. Also, you can install it using the utilities “yum” and “up2date”.

Configuration

Samba configuration file is located at /etc/samba/smb.conf, open this file and edit the following lines according to your requirement.

// Global settings

[global]
workgroup = WORKGROUP
server string = Samba Server
hosts allow = windows_machine_IP [192.168.2. 192.168.2.]
log file = /var/log/samba/%m.log
security = user
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

// User settings

[homes]
comment = shares
path = /usr/sakthi
valid users = sakthi
browseable = yes
writable = yes
public = yes

// Printer settings

[printers]
path = /var/spool/samba
public = yes
printable = yes
browseable = yes
writable = yes

Let me explain the some important variables in this configuration file.

1. hosts_allow:

It allows only the mentioned IP addresses to share the Samba server. In the same manner, you can deny the IP addresses using the variable “hosts_deny”.

2. Security:

Samba has security modes such as: SHARE, USER, DOMAIN, ADS, and SERVER.

i) USER - In this mode, the client will send a session setup request directly following protocol negotiation. This request provides a username and password.

ii) SHARE - In Share Level security, the client authenticates itself separately for each share. It sends a password along with each tree connection (share mount).

The client expects a password to be associated with each share, independent of the user.

iii) DOMAIN - When Samba is operating in this mode, the Samba server has a domain security trust account (a machine account) and causes all authentication requests to be passed through to the Domain Controllers.

This method involves addition of the following parameters in the smb.conf file:

security = domain
workgroup = WORKGROUP

iv) ADS - Active Directory in native mode perfectly allows NT4-style Domain Members.

v) SERVER - In this mode, the Samba server takes the username/password that the client sends and attempts to login to the ‘password server’ by sending exactly the same username/password. If that server is in User Level Security and accepts the password, then Samba accepts the client’s connection. This allows the Samba server to use another SMB server as the password server.

This method involves the additions of the following parameters in the smb.conf file:

encrypt passwords = Yes
security = server
password server = “NetBIOS_name_of_a_DC”

3. Encrypt Passwords:

By default, Samba uses plain text passwords to authenticate clients who access network resources and Microsoft SMB Protocol originally used plain text passwords. However, Windows NT 4.0 with Service Pack 3 or higher, Windows 98, Windows 2000, Windows ME, and Windows XP require encrypted Samba passwords.

So this option must be enabled if the clients are connecting from a Windows 98, Windows NT 4.0 with Service Pack 3, or other more recent versions of Microsoft Windows. The passwords are transferred between the server and the client in an encrypted format instead of in as a plain-text word that can be intercepted.

To configure Samba to use encrypted passwords, follow these steps:

i) Create a separate password file for Samba. To create from existing /etc/passwd file, at a shell prompt, type the following command:

cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd

The mksmbpasswd.sh script is installed in your /usr/bin directory with the samba package.

ii) Change the permissions of the Samba password file so that only root has read and write permissions:

chmod 600 /etc/samba/smbpasswd

iii) To set each Samba user’s password, use the following command.

smbpasswd username

4. smb passwd file:

Refer 3i).

5. valid users:

The “valid users” directive specifies the users to which samba access is allowed.

5. browseable:

This directive specifies whether the users have the access to browse or not. If it is ‘yes’, then the users can browse.

6. writable:

This directive specifies that the users have write access, if it is “yes.

7. public:

It specifies the public access.

Once you configured this file correctly, start Samba service in Linux machine.

service smb start
service smb stop
service smb restart

Client side configuration:

1. Windows explorer >> Tools >> map a network drive
2. select drive letter
3. enter the path (e.g. \\your_server_ip\shares)
4. click connect using different user name
5. enter your samba username and password
6. You can connect to your Linux machine now!

« Prev - Next »